Microsoft Corp is rushing to fix a bug in its widely used Internet Explorer Web browser after a computer security firm disclosed the flaw over the weekend, saying hackers have already exploited it in attacks on some US companies.
However, PCs running Windows XP will not receive any updates fixing that bug when they are released, because Microsoft stopped supporting the 13-year-old operating system earlier this month. Security firms estimate that between 15 and 25 percent of the world’s PCs still run Windows XP.
Microsoft disclosed its plans to fix the bug on Saturday in a customer advisory on its security Web site. The bug is present in Internet Explorer versions 6 to 11. Those versions dominate desktop browsing, accounting for 55 percent of the PC browser market, according to tech research firm NetMarketShare.
Cybersecurity software maker FireEye Inc said that a group of suspected computer criminals have been exploiting the bug in a campaign dubbed “Operation Clandestine Fox.”
FireEye, whose Mandiant division helps companies respond to cyberattacks, declined to name specific victims or identify the group, saying that an investigation into the matter is still active.
“It’s a campaign of targeted attacks seemingly against US-based firms, currently tied to defense and financial sectors,” FireEye spokesman Vitor De Souza said through e-mail. “It’s unclear what the motives of this attack group are, at this point. It appears to be broad-spectrum intel gathering.”
He declined to elaborate, though he said one way to protect against them would be to switch to another browser.
Microsoft said in the advisory that the vulnerability could allow a hacker to take complete control of an affected system, to view, change, or delete data; install malicious programs or create accounts with full user rights.
FireEye and Microsoft have not provided much information about the security flaw or the approach that attackers could use to exploit it, cybersecurity firm Seculert chief technology officer Aviv Raff said.
However, other groups are now racing to learn more about it so they can launch similar attacks before Microsoft prepares a security update, Raff said.
“Microsoft should move fast,” he said. “This will snowball.”
Windows XP users will not benefit from that update since Microsoft has just halted support for that product.
The software maker said in a statement that it advises Windows XP users to upgrade to one of two most recently versions of its operating system, Windows 7 or 8.