* Experts say browser bug makes PCs vulnerable to attack
* Microsoft says free security tool protects against attacks
* Warning affects hundreds of millions of Internet users
By Jim Finkle
BOSTON, Sept 17 Microsoft Corp urged
Windows users on Monday to install a free piece of security
software to protect PCs from a newly discovered bug in the
Internet Explorer browser.
The security flaw, which researchers say could allow hackers
to take remote control of an infected PC, affects Internet
Explorer browsers used by hundreds of millions of consumers and
workers. Microsoft said it will advise customers on its website
to install the security software as an interim measure, buying
it time to fix the bug and release a new, more secure version of
The free security tool, which is known as the Enhanced
Mitigation Experience Toolkit, or EMET, is available on
Eric Romang, a researcher in Luxembourg, discovered the flaw
in Internet Explorer on Friday, when his PC was infected by a
piece of malicious software known as Poison Ivy that hackers use
to steal data or take remote control of PCs.
When he analyzed the infection, he learned that Poison Ivy
had gotten on to his system by exploiting a previously unknown
bug, or "zero-day" vulnerability, in Internet Explorer.
"Any time you see a zero-day like this, it is concerning,"
said Liam O Murchu, a research manager with anti-virus software
maker Symantec Corp. "There are no patches available.
It is very difficult for people to protect themselves."
Zero-day vulnerabilities are rare, mostly because they are
hard to identify - requiring highly skilled software engineers
or hackers with lots of time to scrutinize code for holes that
can be exploited to launch attacks. Security experts only
disclosed discovery of eight major zero day vulnerabilities in
all of 2011, according Symantec.
Symantec and other major anti-virus software makers have
already updated their products to protect customers against the
newly discovered bug in Internet Explorer. Yet O Murchu said
that may not be sufficient to ward off adversaries.
"The danger with these types of attacks is that they will
mutate and the attackers will find a way to evade the defenses
we have in place," he said.
Some security experts said computer users should avoid
Internet Explorer, even if they install the EMET security tool
available from Microsoft.
"It doesn't appear to be completely effective," said Tod
Beardsley, an engineering manager with the security firm Rapid7.
Rapid7 released software on Monday that security experts can
use to simulate attacks that exploit the security flaw in
Internet Explorer to see whether corporate networks are
vulnerable to that particular bug.
Marc Maiffret, chief technology officer of the security firm
BeyondTrust, said it may not be feasible for some businesses and
consumers to install Microsoft's EMET tool on their PCs.
He said the security software has in some cases proven to be
incompatible with existing programs already running on networks.
Dave Marcus, director of advanced research and threat
intelligence with Intel Corp's McAfee security
division, said it might be a daunting task for home users to
locate, download and install the EMET tool.