Bad news for anyone using Internet Explorer (and worse news for anyone whose computer still runs on Windows XP, even though Microsoft stopped supporting XP earlier this month): hackers might be able to plant malware on your computer, without any effort from you.
Usually, when you read warning stories about the latest malware threat, they'll tell you to protect yourself by avoiding certain actions: don't click on that suspicious-looking link, don't open that spammy-looking email, don't download that unsolicited file.
What makes this latest Internet Explorer threat especially dangerous is that hackers can install malicious software on your computer without your first clicking a link, opening an email or downloading a file — merely visiting a hacked or compromised website is all it takes.
Turns out that Internet Explorer, even the versions still supported by Microsoft, has always contained a major security hole which nobody knew about until the security firm FireEye Research Labs announced, on April 26, that it had “identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.”
“Zero-day” is tech-speak for any threat exploiting a previously unknown vulnerability; since nobody (other than bad-guy hackers) knew about the security hole, nobody's had time to patch it, and so zero days pass between the discovery of the vulnerability, and the first time that vulnerability is attacked. FireEye called this latest IE flaw “significant,” because the “vulnerable versions [of IE] represent about a quarter of the total browser market.
Microsoft Security responded promptly to news of FireEye's discovery, promising to find a fix for the problem and include it in the next automatic update (for supported systems; this will not help those of you still using XP). Meanwhile, “Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.”
But suppose you're an IE user who does none of this, and hackers manage to get into your computer. What happens then?
According to Microsoft: “An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
In other words: anything you can do with your computer, a hacker can do while pretending to be you.