UPDATE 1-Microsoft urges customers to install security tool

Mon Sep 17, 2012 7:11pm EDT

* Experts say browser bug makes PCs vulnerable to attack

* Microsoft says free security tool protects against attacks

* Warning affects hundreds of millions of Internet users

By Jim Finkle

BOSTON, Sept 17 (Reuters) - Microsoft Corp urged Windows users on Monday to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.

The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft's website:

Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.

When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or "zero-day" vulnerability, in Internet Explorer.

"Any time you see a zero-day like this, it is concerning," said Liam O Murchu, a research manager with anti-virus software maker Symantec Corp. "There are no patches available. It is very difficult for people to protect themselves."

Zero-day vulnerabilities are rare, mostly because they are hard to identify - requiring highly skilled software engineers or hackers with lots of time to scrutinize code for holes that can be exploited to launch attacks. Security experts only disclosed discovery of eight major zero day vulnerabilities in all of 2011, according Symantec.

Symantec and other major anti-virus software makers have already updated their products to protect customers against the newly discovered bug in Internet Explorer. Yet O Murchu said that may not be sufficient to ward off adversaries.

"The danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defenses we have in place," he said.

Some security experts said computer users should avoid Internet Explorer, even if they install the EMET security tool available from Microsoft.

"It doesn't appear to be completely effective," said Tod Beardsley, an engineering manager with the security firm Rapid7.

Rapid7 released software on Monday that security experts can use to simulate attacks that exploit the security flaw in Internet Explorer to see whether corporate networks are vulnerable to that particular bug.

Marc Maiffret, chief technology officer of the security firm BeyondTrust, said it may not be feasible for some businesses and consumers to install Microsoft's EMET tool on their PCs.

He said the security software has in some cases proven to be incompatible with existing programs already running on networks.

Dave Marcus, director of advanced research and threat intelligence with Intel Corp's McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.