Internet Explorer bug reveals “zero-day” vulnerability

Are you still using Internet Explorer? You might want to reconsider for now, especially because there is a major security flaw in the program.

The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said it will advise customers on its website to install the security software, the Enhanced Mitigation Experience Toolkit (EMET), as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs. This is not just any run of the mill virus that can be removed by simply running anti-virus software: this particular one exploits a previously unknown bug, or “zero-day” vulnerability, in Internet Explorer.

“Any time you see a zero-day like this, it is concerning,” said Liam O. Murchu, a research manager with anti-virus software maker Symantec. “There are no patches available. It is very difficult for people to protect themselves.” Although “zero-day” vulnerabilities are rare, mostly because they are hard to identify, only the most skilled software engineers and hackers can identify them after carefully scrutinizing a lot of code. Security experts only disclosed discovery of eight major zero-day vulnerabilities in all of 2011, according to Symantec.

Although most anti-virus makers have already upgraded their software to protect against such bugs, Murchu says that might not be enough. “The danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defenses we have in place,” he said.

Some security experts said computer users should avoid Internet Explorer, even if they install the EMET security tool available from Microsoft. “It doesn’t appear to be completely effective,” said Tod Beardsley, an engineering manager with the security firm Rapid7. Other security firms are also in concurrence, saying that the EMET tool might not be compatible with programs already running on some networks.