Enterprising hackers have uncovered a new vulnerability in Microsoft's flagship browser that endangers anyone using Internet Explorer and especially the holdouts still running Windows XP.
On Saturday April 26, Microsoft announced that the Internet Explorer versions 6 through 11 were at risk for drive-by attacks from malicious websites. To matters worse, Windows XP runs three of the vulnerable IE versions and no longer receives support or updates from Microsoft leaving the operating system permanently vulnerable to this exploit.
The new drive-by vulnerability, named CVE-2014-1776 by Microsoft, has the ability to assign hackers the same user rights as the current user. A successful attack against a PC running Internet Explorer and where the user is logged in as an administrator would assign the hacker the full range of administrative permissions, which could include creating new user accounts, changing stored data, deleting files, and installing other malicious files. Also, keep this in mind; most Windows users operate their Windows PC as an administrator.
In order for a PC to be infected due to this vulnerability, the user would have to visit a website that purposely uses malicious code designed to exploit the coding error. Microsoft also warns that the vulnerability might also be exploited by websites that "accept or host user-provided content or advertisements," which could allow an attacker to insert his malicious code.
At this time, Microsoft has not announced when a patch will be issued for this vulnerability. The deployment of an emergency patch prior to May 13's patch Tuesday is still a possibility for most versions of Internet Explorer.
The XP problem
Users who have yet to move away from Windows XP should be aware that there will not be a patch made available for their operating system. In this vulnerable state, use of Internet Explorer on a Windows XP PC would be inadvisable.
The safest course of action, short of installing a new operating system, would be to use a different browser, such as Google's Chrome or Mozilla's Firefox.