American software giant Microsoft issued a security advisory regarding the vulnerability in few older versions of Internet Explorer that could allow remote code execution.
On Saturday, Microsoft confirmed that it is investigating public reports of vulnerability in versions 6, 7, and 8 of Internet Explorer.
Version 9 and 10 are not affected by the vulnerability.
Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8.
The Redmond-based company said that an attacker who can successfully exploit Explorer's vulnerability can gain the same user rights as the current user. Users whose accounts are configured to have fewer rights on the system will be less impacted compared to users who operate with administrative rights.
Microsoft gives an instance of how an attacker would utilize this flaw in IE (version 6, 7 & 8) to his advantage.
"In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website."
Darien Kindlund, a senior staff scientist at the security company FireEye, said in his blog that they received reports of the CFR (Council on Foreign Relations) website being compromised and hosting the malicious content around 2:00 PM EST on Dec 21.
CFR is an American non-profit, non-partisan member organisation and think tank specialising in US foreign policy and international affairs.
He further said, "We can also confirm that the malicious content hosted on the website does appear to use Adobe Flash to generate a heap spray attack against Internet Explorer version 8.0 (fully patched), which was the source of the zero-day vulnerability".
Microsoft has suggested tips to mitigate the vulnerability of Windows-based PCs with Internet Explorer versions 6, 7, and 8.
- Install anti-virus, anti-spyware programs from a trusted source.
- Never download anything in response to a warning from a program that was not installed and don't blindly give into claims that it will protect a PC or remove viruses. It will mostly likely do the opposite.
- Always turn on the automatic mode for anti-virus update.
- Un-install redundant software, which is not used that often.
- Use lengthy passwords with minimum 14 characters long with combination of alphabets, numbers and symbols (note: never share passwords).
- Never turn-off the firewall as it acts as a protective barrier between the system and the Internet.
Microsoft has listed on its website the non-vulnerable and vulnerable software which will affect different versions of Windows OS.
As of now, the security flaw is found only in Internet Explorer versions 6, 7 and 8. Users using IE versions 9 and 10 need not worry but they are advised to apply caution while installing software from unfamiliar sources.