BOSTON: Microsoft Corp urged Windows users to install a free piece of security software to protect PCs from a newly discovered bug in its Internet Explorer browser.
The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers.
Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of the web browser.
The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft’s website: http://bit.ly/Kv497S.
Eric Romang, a researcher in Luxembourg, discovered the flaw on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.
When he analysed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or “zero-day” vulnerability, in Internet Explorer.
“Any time you see a zero-day like this, it is concerning,” said Liam O Murchu, a research manager with antivirus software maker Symantec Corp. “There are no patches available. It is very difficult for people to protect themselves.”
Zero-day vulnerabilities are rare, mostly because they are hard to identify – requiring highly skilled software engineers or hackers with lots of time to scrutinise code for holes that can be exploited to launch attacks.
Security experts only disclosed discovery of eight major zero-day vulnerabilities in all of 2011, according Symantec.
Symantec and other major antivirus software makers have already updated their products to protect customers against the newly discovered bug in Internet Explorer. Yet O Murchu said that may not be sufficient to ward off adversaries.
“The danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defenses we have in place,” he said.
Some security experts said computer users should avoid Internet Explorer, even if they install the EMET security tool available from Microsoft.
“It doesn’t appear to be completely effective,” said Tod Beardsley, an engineering manager with the security firm Rapid7.
Rapid7 released software on Monday that security experts can use to simulate attacks that exploit the security flaw in Internet Explorer to see whether corporate networks are vulnerable to that particular bug.
Marc Maiffret, chief technology officer of the security firm BeyondTrust, said it may not be feasible for some businesses and consumers to install Microsoft’s EMET tool on their PCs.
He said the security software has in some cases proven to be incompatible with existing programs already running on networks.
Dave Marcus, director of advanced research and threat intelligence with Intel Corp’s McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.
“For consumers it might be easier to simply click on Chrome,” Marcus said.
Internet Explorer was the world’s second-most widely used browser last month, with about 33% market share, according to StatCounter. It was close behind Google Inc’s Chrome browser, which had 34% of the market.