Update: Third of Internet Explorer users at risk from attacks
Microsoft confirms both IE9 and IE10 contain vulnerability, urges customers to upgrade to IE11; leaves Vista users out in the cold
Computerworld - Microsoft on Friday said that both Internet Explorer 10 and its predecessor, IE9, contained an unpatched vulnerability, but that hackers were currently exploiting only the newest, IE10.
The extension of the vulnerability to IE9 followed confirmation earlier yesterday that active attacks are compromising the newer IE10 and hijacking PCs running the browser.
"Microsoft is aware of limited, targeted attacks against Internet Explorer 10. Our initial investigation has revealed that Internet Explorer 9 and Internet Explorer 10 are affected," a Microsoft spokesperson said via email today.
With both IE9 and IE10 vulnerable, it means that about a third of all those using Internet Explorer are at risk.
According to Web analytics vendor Net Applications, IE9 accounted for 15.3% of the total IE user share last month; IE10's share was 15.9%. Together, the two editions represented 31.2% of Internet Explorer's January user share.
Milpitas, Calif.-based FireEye was the first to spot the attacks, and said that they had been aimed at IE10 as part of a campaign targeting current and former U.S. military personnel when they visited the Veterans of Foreign Wars (VFW) website.
While FireEye said it identified the "zero-day" vulnerability -- a term to indicate that the flaw is currently unpatched -- on Feb. 11, yesterday San Diego security company Websense said it had found evidence that the exploit may have been used as early as Jan. 20, or more than three weeks ago.
Websense also speculated that those earlier attacks had been aimed at visitors to a French aerospace association's website. Members of the organization, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), include defense and space contractors and subcontractors.
GIFAS is best known to the general public as the sponsor, through a subsidiary, of the Paris Air Show, an annual extravaganza where aircraft makers, both commercial and military, strut their newest wares.
Microsoft's advice to customers that they upgrade to IE11 was not possible for those still running Windows Vista. That 2007 operating system cannot run either IE10 or IE11. Most Vista users are likely running IE9, since Microsoft automatically upgraded their copies of from IE7 or IE8 to the then-new IE9 in the first half of 2012.
The only silver lining is that few Windows users run Vista: Last month, the oft-disparaged OS represented just 3.6% of all editions of Windows.
Microsoft has not said if it will issue an "out-of-band" security update -- a rush fix shipped before the next regularly-scheduled Patch Tuesday of March 11 -- or yet issued a formal security advisory. It will certainly do the latter, and at that time may, as it often does, provide a work-around to protect IE9 and IE10 users.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org..> >
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts