Ubizen's security intelligence lab (SIL) is warning its customers against three new vulnerabilities that have been discovered in the latest fully patched version of Microsoft Internet Explorer (IE). Two of the vulnerabilities mean that users that connect to the internet using IE are at significant risk of a hacker (or virus) taking complete control of their PC. The third vulnerability enables a hacker to launch a phishing attack, meaning hackers can pick up duped users' confidential details. No Microsoft patch is currently available to protect against this threat, meaning internet users need to change their internet browser immediately or change their IE security settings.
"Fortunately the researcher who discovered the malicious code to exploit the first two vulnerabilities, did not distribute the attack across the internet. However, experienced hackers are likely to have already discovered the code," said Dirk Van Droogenbroeck researcher in Ubizen's SIL. "As there is no fix available, the hacker community will seek to massively exploit these vulnerabilities.
To reduce the risk of attack, businesses need to take the following actions:
- Ideally businesses should use an alternative web browser, such as Netscape, Mozilla, Opera
- If businesses choose to continue using Microsoft's IE Web browser, they need to adjust the security settings to disable 'Active scripting'
- Set the security settings on IE Explorer as 'High' for all zones and don't follow links from untrustworthy sources, ensure URLs are manually entered in the address bar.
"The exploits received by the researcher were created before Microsoft was aware of the vulnerabilities - known in the security industry as 'zero-day exploits'. These exploits pose a significant security threat to businesses. Whilst the researcher chose not to distribute a 'zero-day attack' when he discovered the code to the unknown vulnerabilities, he did announce their existence to the world and gave a full description of how the exploits work," continued Van Droogenbroeck.