Microsoft urges customers to install security tool

BOSTON Mon Sep 17, 2012 7:13pm EDT

Microsoft Corp Vice President of Internet Explorer Dean Hachamovitch unveils Microsoft Internet Explorer 9 Beta version during a demonstration in San Francisco, California September 15, 2010. REUTERS/Robert Galbraith

Microsoft Corp Vice President of Internet Explorer Dean Hachamovitch unveils Microsoft Internet Explorer 9 Beta version during a demonstration in San Francisco, California September 15, 2010.

Credit: Reuters/Robert Galbraith

Related Topics

BOSTON (Reuters) - Microsoft Corp urged Windows users on Monday to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.

The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.

The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft's website: bit.ly/Kv497S

Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.

When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or "zero-day" vulnerability, in Internet Explorer.

"Any time you see a zero-day like this, it is concerning," said Liam O Murchu, a research manager with anti-virus software maker Symantec Corp. "There are no patches available. It is very difficult for people to protect themselves."

Zero-day vulnerabilities are rare, mostly because they are hard to identify - requiring highly skilled software engineers or hackers with lots of time to scrutinize code for holes that can be exploited to launch attacks. Security experts only disclosed discovery of eight major zero day vulnerabilities in all of 2011, according Symantec.

Symantec and other major anti-virus software makers have already updated their products to protect customers against the newly discovered bug in Internet Explorer. Yet O Murchu said that may not be sufficient to ward off adversaries.

"The danger with these types of attacks is that they will mutate and the attackers will find a way to evade the defenses we have in place," he said.

Some security experts said computer users should avoid Internet Explorer, even if they install the EMET security tool available from Microsoft.

"It doesn't appear to be completely effective," said Tod Beardsley, an engineering manager with the security firm Rapid7.

Rapid7 released software on Monday that security experts can use to simulate attacks that exploit the security flaw in Internet Explorer to see whether corporate networks are vulnerable to that particular bug.

Marc Maiffret, chief technology officer of the security firm BeyondTrust, said it may not be feasible for some businesses and consumers to install Microsoft's EMET tool on their PCs.

He said the security software has in some cases proven to be incompatible with existing programs already running on networks.

Dave Marcus, director of advanced research and threat intelligence with Intel Corp's McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.

"For consumers it might be easier to simply click on Chrome," Marcus said.

Internet Explorer was the world's second-most widely used browser last month, with about 33 percent market share, according to StatCounter. It was close behind Google Inc's Chrome browser, which had 34 percent of the market.

(Reporting By Jim Finkle; Editing by Kenneth Barry)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (2)
Alexander_Sr wrote:
Seems to me Internet Explorer is a bug and has been since MS bought it years ago.

Sep 17, 2012 6:45pm EDT  --  Report as abuse
marjwyatt wrote:
With all due respect, IE has not had 33% percent of browser usage since April 2010, according to W3Schools.com.

Sep 19, 2012 9:39pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.