Following the reveal of a major security flaw in Internet Explorer that is currently being exploited by hackers, Microsoft has confirmed its existence though the software giant has no immediate plans to release a patch to fix it.
The security flaw in the company’s legacy browser was first disclosed by a division of Homeland Security called US-CERT, that reports on major security flaws, in a tweet which contained a link to a security advisory concerning the bug. According to the advisory, the vulnerability has already been “detected in exploits in the wild”.
All supported versions of Windows, including Windows 7 which will no longer receive security updates, are affected by the flaw according to Microsoft.
Internet Explorer vulnerability
The vulnerability concerns how Internet Explorer handles memory and an attacker could leverage the flaw to remotely run malicious code on an affected computer. It also bears a striking resemblance to a similar vulnerability that was recently disclosed by Mozilla.
The Chinese security research team Qihoo 360 was the first to find the security flaw being used by attackers in the wild. However, the research team, Microsoft and Mozilla do not yet know which attackers are exploiting the flaw, how they’re doing it or who they’re targeting.
The security flaw appears to be serious enough that even the US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding it, which reads:
“The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Microsoft’s Advisory ADV20001 and CERT/CC’s Vulnerability Note VU#338824 for more information, implement workarounds, and apply updates when available. Consider using Microsoft Edge or an alternate browser until patches are made available.”
Microsoft is currently working on a fix for the issue but a patch likely won’t arrive until the company’s next round of monthly security fixes which is scheduled for February 11.