Skip to main content

I just found this breaking story by Hannah Kucher, in the Tech Hub of the Financial Times about a serious Flaw found in Internet Explorer browser, that enable cyber criminals to impersonate websites to steal user data. (Update: This flaw affects Versions 9 - 11, See WSJ article below.)

(*I've discovered the Financial Times allows one to view this article once before requiring you to sign up for some kind of subscription. I'm looking for an alternative source for this information.)

A serious flaw has been found in Microsoft’s Internet Explorer browser which has allowed cyber criminals to impersonate known websites to steal user data.
Microsoft warned that the vulnerability had already been used in “limited, targeted attacks” against people and networks using Internet Explorer versions 6 to 11, which make up over a quarter of all web browsers.

No solution is available yet. Microsoft will take "appropriate action" as soon as it has "completed its investigation," according to Kucher.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company said in a statement. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

A cyber criminal has to tempt the user on to a fake site, by “phishing”, using, for example, an email or an instant message with a link in it to be able to use the vulnerability, the company said.

The revelation of this flaw follows the discovery of one of the most significant vulnerabilities ever found in security software earlier this month. Hackers have used the “Heartbleed bug” to steal user passwords and confidential data, such as Canadian social insurance numbers, in the crucial period between the attack being announced and companies updating their software.

Microsoft has put advice on how IT departments can work around this vulnerability while it works to fix it.

Apparently, there have been active campaigns to exploit these weakness and not just for money, but also for intellectual property rights, and customer data. A specialist consulting firm asserts an underground market has emerged selling software so non-experts can exploit these weaknesses.

This flaw exists in version of software that are used in 26.5% of the market that existed in 2013.

Be careful out there Kossacks.

4:05 PM PT: This WSJ article asserts this flaw affects IE versions 9-11 (the above article assert 6 - 11). The WSJ reports this will primarily affect people using the XP operating system, however, ColoTim corrects this misinformation. I've adjusted the title. This does affect one quarter of all computers but perhaps not yours. This Wall Street Journal article is a lot more informative.

Windows XP just got extra dangerous.

Microsoft on Sunday warned about hacking attacks against versions six through 11 of its flagship browser. If exploited, the coding flaw would allow hackers to have the same level of access on a network computer as the official user. That’s really bad.

FireEye, a security company that claimed credit for finding the hole, said it is part of a hacking campaign against U.S. financial and defense companies but wouldn’t elaborate. The company said attacks mainly are targeted at Internet Explorer 9 through Internet Explorer 11.

The bug affects the browser when used on multiple Microsoft operating systems. But the situation poses a special concern for people still using Windows XP.

The software was introduced in 2001, and Microsoft on April 8 stopped supporting XP with software updates–including security patches for the operating system and its browser. XP can run up to Internet Explorer 8.

The operating system, though outdated and plagued with security flaws, still runs on some 300 million machines. The Redmond, Wash., tech giant offers extended support for corporate clients still running XP but at a hefty price.

5:48 PM PT: ColoTim correct the statement I repeated from the WSJ that this error primarily affected the XP. This is not true, Many other computers are impacted. Thanks Tim. Also the WSJ was wrong about version 9-11 the Financial Times correctly reports Version 6-11 are flawed.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site