Microsoft has issued an emergency security update for all versions of its Internet Explorer browser. The update will patch a zero-day flaw reported on 26 April that has already been used in live attacks.
The software firm's next monthly update is due on Tuesday 6 May, but the latest fix was rushed out independently last night, underlining the seriousness of the threat.
The fact that the software firm has issued an update in under a week outside its normal monthly update cycle, and included Windows XP, underlines the seriousness of the threat.
Security commentators said businesses and consumers should ensure the security update is installed without delay.
Microsoft said it was making an exception for Windows XP because the flaw was discovered so soon after the company officially ended support for the operating system on 8 April.
But security firm FireEye has revealed that new exploits of the flaw are being used in live attacks against IE 8 to 11 and 7 and 8 on Windows XP.
“We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting,” the firm said in a blog post.
Besides previously observed attacks against the defense and financial sectors, organisations in the government and energy sectors are also facing attack.
Microsoft issued a security advisory after reports of “limited, targeted attacks” to exploit the flaw affecting Internet Explorer (IE) versions 6 to 11.
The company warned that attackers could exploit the flaw to gain the same user rights as the current user.
This means that if the current user is logged on with administrative user rights, an attacker could take complete control of a targeted system.
The attacker could then install programs and view, change and delete data, as well as create new accounts with full user rights.
According to NetMarket Share, the affected versions of IE account for more than half of global browser market, affecting millions of businesses and consumers.
Microsoft said that most IE users have automatic updates enabled and will not need to take any action.
“Out-of-band updates are a big deal,” said Trey Ford, global security satrategist at security firm Rapid7.
“To interrupt a scheduled development cycle for an emergency patch is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle,” he said.
Chris Goettl, product manager at security firm Shavlik said it is in Microsoft’s best interest to plug this vulnerability for Windows XP as the operating system will be in circulation for a while yet.
“One can hope there are a few hackers out there wearing long faces knowing that this patch will likely be rolled out to XP systems as soon as possible,” he said.
More on IE vulnerabilities
- Microsoft offers temporary fix for Internet Explorer zero-day
- Locking down Internet Explorer settings with Group Policy in IE 11
- Microsoft patches vulnerabilities in Internet Explorer, Exchange
- Microsoft offers 'fix' for latest Internet Explorer zero day
- Critical RDP, Internet Explorer fixes included in Patch Tuesday update
- Internet Explorer vulnerabilities fixed in December 2012 Patch Tuesday
- Microsoft fixes critical issues in Internet Explorer, Windows Kernel
- City University London explores multi-sensory human communication via mobile
- Microsoft issues emergency security update for Internet Explorer
- New zero-day vulnerability targets Internet Explorer users