Sep. 17, 2012 at 7:29 PM ET
Microsoft urgedWindows users on Monday to install a free piece of securitysoftware to protect PCs from a newly discovered bug in theInternet Explorer browser.
The security flaw, which researchers say could allow hackersto take remote control of an infected PC, affects InternetExplorer browsers used by hundreds of millions of consumers andworkers. Microsoft said it will advise customers on its websiteto install the security software as an interim measure, buyingit time to fix the bug and release a new, more secure version ofInternet Explorer.
The free security tool, which is known as the EnhancedMitigation Experience Toolkit, or EMET, is available from Microsoft.
Eric Romang, a researcher in Luxembourg, discovered the flawin Internet Explorer on Friday, when his PC was infected by apiece of malicious software known as Poison Ivy that hackers useto steal data or take remote control of PCs.
When he analyzed the infection, he learned that Poison Ivyhad gotten on to his system by exploiting a previously unknownbug, or "zero-day" vulnerability, in Internet Explorer.
"Any time you see a zero-day like this, it is concerning,"said Liam O Murchu, a research manager with anti-virus softwaremaker Symantec. "There are no patches available.It is very difficult for people to protect themselves."
Zero-day vulnerabilities are rare, mostly because they arehard to identify — requiring highly skilled software engineersor hackers with lots of time to scrutinize code for holes thatcan be exploited to launch attacks. Security experts onlydisclosed discovery of eight major zero-day vulnerabilities inall of 2011, according Symantec.
Symantec and other major anti-virus software makers havealready updated their products to protect customers against thenewly discovered bug in Internet Explorer. Yet O Murchu saidthat may not be sufficient to ward off adversaries.
"The danger with these types of attacks is that they willmutate and the attackers will find a way to evade the defenseswe have in place," he said.
Some security experts said computer users should avoidInternet Explorer, even if they install the EMET security toolavailable from Microsoft.
"It doesn't appear to be completely effective," said TodBeardsley, an engineering manager with the security firm Rapid7.
Rapid7 released software on Monday that security experts canuse to simulate attacks that exploit the security flaw inInternet Explorer to see whether corporate networks arevulnerable to that particular bug.
Marc Maiffret, chief technology officer of the security firmBeyondTrust, said it may not be feasible for some businesses andconsumers to install Microsoft's EMET tool on their PCs.
He said the security software has in some cases proven to beincompatible with existing programs already running on networks.
Dave Marcus, director of advanced research and threatintelligence with Intel Corp's McAfee securitydivision, said it might be a daunting task for home users tolocate, download and install the EMET tool.
(c) Copyright ThomsonReuters 2012. Check for restrictions at: http://about.reuters.com/fulllegal.asp
Copyright 2013 Thomson Reuters.