Criminals are currently exploiting a newly found flaw in several popular versions of Microsoft's Internet Explorer browser, according to the company, security researchers at Google and the Department of Homeland Security.
Attackers can use the vulnerability to gain broad access to computer systems, according to the U.S. Computer Emergency Response Team (CERT). The flaw works by driving users to an infected website via a fraudulent "phishing" email, according to the CERT. Once there, you unknowingly download malware that grants the attacker rights to any system you are able to access, according to Microsoft.
"An attacker could then install programs; view, change or delete data; or create new accounts with full user rights," Microsoft said in an update on the vulnerability.
The issue was discovered by Google's Threat Analysis Team, Microsoft said. The flaw affects older Internet Explorer browser versions including Windows 7 and 10 and Windows Server 2012, 2016 and 2019 versions of Explorer 11, Explorer 10 for Windows Server 2012 and Explorer 9 for Windows Server 2008, according to Carnegie Mellon's Software Engineering Institute.
The issue is also significant because it comes as companies prepare for the weekend before Christmas, one of the busiest shopping days of the year, said Jason Escaravage, cyber defense lead for the commercial practice at consulting firm Booz Allen Hamilton.
"If I'm a bad guy, I would likely target a group of people at a company with a phishing campaign that, for instance, offers them 50% off with an online shopping platform," he said. "Once they link to the [fraudulent] site, they can have their current session hijacked."
Escaravage advised individuals to ensure their Internet Explorer browsers are updated, as well as other applications: "Make sure you are always operating on the latest version of anything that is touching the internet," said Escaravage. You should also be particularly mindful of phishing campaigns, especially those that may spoof popular retailers with holiday offers, he said.
For comprehensive information on spotting phishing emails, visit the DHS website.