Number:IRCNE2014042174
Date: 2014-04-27
According to “computerworld”, Microsoft on Saturday told customers that cyber-criminals are exploiting an unpatched and critical vulnerability in Internet Explorer (IE) using "drive-by" attacks.
"Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11," the company said in a security advisory.
All currently-supported versions of IE are at risk, Microsoft said, including 2001's IE6, which still receives patches on Windows Server 2003. The same browser will not be repaired on Windows XP, as the operating system was retired from patch support on April 8.
The IE flaw was the first post-retirement bug affecting XP.
Because Microsoft will eventually patch the drive-by bug in IE6, IE7 and IE8, then deliver those patches to PCs running Windows Vista and Windows 7, it's likely that hackers will be able to uncover the flaw in the browsers' code, then exploit it on the same browsers running on Windows XP.
Microsoft said that was the biggest risk of running XP -- and IE on it -- after the operating system was retired, claiming last year that XP was 66% more likely to be infected with malware once patching stopped.
Windows XP users can make it more difficult for attackers to exploit the IE bug by installing the Enhanced Mitigation Experience Toolkit (EMET) 4.1, an anti-exploit utility available on Microsoft's website.
The security advisory included other steps customers can take to reduce risk. Among them is to "unregister" the vgx.dll file. That .dll (for dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows and IE.
Another way Windows XP users can avoid IE-based attacks is to switch to an alternate browser, like Google's Chrome or Mozilla's Firefox. Both will continue to receive security updates for at least the next 12 months.
- 4