Microsoft (MSFT) has fixed the Internet Explorer (IE) zero-day security vulnerability that was identified by FireEye Research Labs on April 26. FireEye said IE users from numerous industries were affected by the zero-day flaw, including those in the defense, energy, financial and government sectors.
Hackers were reportedly using the IE bug as part of "Operation Clandestine Fox," a series of cyber attacks against IE users. The vulnerability impacted all versions of IE6 through IE11, and FireEye wrote in a blog post yesterday it discovered a new version of the attack that specifically targeted out-of-life Windows XP machines running IE8 as well.
However, Microsoft also released a security update yesterday that "addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory." The company rated the security update as "critical" for IE users on all affected Windows servers, including Windows XP (despite the fact that Microsoft stopped supporting Windows XP on April 8).
"The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft wrote in a security bulletin.
Full details about the security patch are available here. In addition, Microsoft points out those who are signed up for automatic security updates will not need to take any action because the protections will be downloaded and installed automatically.
So how can managed service providers (MSPs) safeguard their sensitive data against the IE vulnerability? For now, the U.S. Department of Homeland Security recommends "users and administrators review Microsoft Security Bulletin MS14-021 and apply the necessary updates as soon as possible."
But some cyber security experts are skeptical about Microsoft's IE security patch.
David Kennedy, CEO of security consulting firm TrustedSec, said he feels Operation Clandestine Fox is much more serious than the Heartbleed OpenSSL security flaw that threatened MSPs last month. In fact, Kennedy told CNNMoney the IE zero-day security exploit revealed several weaknesses in the U.S. energy and financial sectors.
"[Hackers are] after the core critical infrastructure of the United States, so in the event of a war, they can take it down," Kennedy said. "The scary part is that the financial sector and energy [sector] are extremely vulnerable."