I just found this breaking story by Hannah Kucher, in the Tech Hub of the Financial Times about a serious Flaw found in Internet Explorer browser, that enable cyber criminals to impersonate websites to steal user data. (Update: This flaw affects Versions 9 - 11, See WSJ article below.)
(*I've discovered the Financial Times allows one to view this article once before requiring you to sign up for some kind of subscription. I'm looking for an alternative source for this information.)
A serious flaw has been found in Microsoft’s Internet Explorer browser which has allowed cyber criminals to impersonate known websites to steal user data.
Microsoft warned that the vulnerability had already been used in “limited, targeted attacks” against people and networks using Internet Explorer versions 6 to 11, which make up over a quarter of all web browsers.
No solution is available yet. Microsoft will take "appropriate action" as soon as it has "completed its investigation," according to Kucher.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company said in a statement. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
A cyber criminal has to tempt the user on to a fake site, by “phishing”, using, for example, an email or an instant message with a link in it to be able to use the vulnerability, the company said.
The revelation of this flaw follows the discovery of one of the most significant vulnerabilities ever found in security software earlier this month. Hackers have used the “Heartbleed bug” to steal user passwords and confidential data, such as Canadian social insurance numbers, in the crucial period between the attack being announced and companies updating their software.
Microsoft has put advice on how IT departments can work around this vulnerability while it works to fix it.
Apparently, there have been active campaigns to exploit these weakness and not just for money, but also for intellectual property rights, and customer data. A specialist consulting firm asserts an underground market has emerged selling software so non-experts can exploit these weaknesses.
This flaw exists in version of software that are used in 26.5% of the market that existed in 2013.
Be careful out there Kossacks.
4:05 PM PT: This WSJ article asserts this flaw affects IE versions 9-11 (the above article assert 6 - 11). The WSJ reports this will primarily affect people using the XP operating system, however, ColoTim corrects this misinformation. I've adjusted the title. This does affect one quarter of all computers but perhaps not yours. This Wall Street Journal article is a lot more informative.
Microsoft on Sunday warned about hacking attacks against versions six through 11 of its flagship browser. If exploited, the coding flaw would allow hackers to have the same level of access on a network computer as the official user. That’s really bad.
FireEye, a security company that claimed credit for finding the hole, said it is part of a hacking campaign against U.S. financial and defense companies but wouldn’t elaborate. The company said attacks mainly are targeted at Internet Explorer 9 through Internet Explorer 11.
The bug affects the browser when used on multiple Microsoft operating systems. But the situation poses a special concern for people still using Windows XP.
The software was introduced in 2001, and Microsoft on April 8 stopped supporting XP with software updates–including security patches for the operating system and its browser. XP can run up to Internet Explorer 8.
The operating system, though outdated and plagued with security flaws, still runs on some 300 million machines. The Redmond, Wash., tech giant offers extended support for corporate clients still running XP but at a hefty price.
5:48 PM PT: ColoTim correct the statement I repeated from the WSJ that this error primarily affected the XP. This is not true, Many other computers are impacted. Thanks Tim. Also the WSJ was wrong about version 9-11 the Financial Times correctly reports Version 6-11 are flawed.