A major security flaw affecting several versions of Microsoft’s Internet Explorer web browser was discovered over the weekend, and the percentage of computer users that could be compromised by the exploit is absolutely staggering.
Bill Gates’ Microsoft Corp. announced on Saturday that Internet Explorer versions 6 through 11 are all vulnerable to a glitch that when properly exploited can give hackers remote access to a victim’s computer.
When combined, versions nine through 11 of the browser accounted for 26.25 percent of all web traffic in 2013, security firm FireEye claimed over the weekend. If all vulnerable versions are accounted for, however, then upwards of 56 percent of the browsers currently in use around the world are reportedly in danger of being exploited.
A person with knowledge of the vulnerability may create a fake website that, when visited, allows the hacker to exploit the bug and break into their target’s machine, Microsoft warned.
"An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," the company advised.
According to FireEye spokesman Vitor De Souza, hackers had already taken advantage of the exploit by targeting unnamed US-based firms that are tied to the defense and financial sectors.
"It's unclear what the motives of this attack group are, at this point,” De Souza told Reuters on Sunday. "It appears to be broad-spectrum intel gathering."
On the official FireEye blog, security experts said that the hacking campaign has been dubbed “Operation Clandestine Fox,” and is consistent with other attacks linked to an advanced persistent threat group that has previously attracted the attention of investigators.
The unknown APT group has had access to "a select number of browser-based 0-day exploits in the past,” FireEye stated, but declined to publish further details.
Microsoft was unable to patch the vulnerability by the time the weekend was over, and the United States government’s Computer Emergency Readiness Team (CERT) issued an alert warning computer users to “consider employing an alternative web browser.”
"We are currently unaware of a practical solution to this problem," Carnegie Mellon's Software Engineering Institute warned in an advisory of its own.
Additionally, news of the vulnerability surfaced only weeks after Microsoft officially retired from offering security patches to its highly popular XP operating system.
"XP users are not safe anymore and this is the first vulnerability that will be not patched for their system," Symantec researcher Christian Tripputi warned.