www.office.com/setup Internet Explorer is pre-installed on all Windows PCs, although it has been replaced by Microsoft’s new Edge browser in terms of long-term support. The reason is simple: many organizations use the archaic browser for legacy applications, so Microsoft has had to maintain it but is not spending a great deal of time improving it. Unfortunately, according to a security company, Internet Explorer has a serious flaw that leaves it open to malware attacks.
ZDNet reports the zero-day error, which comes from Chinese antivirus software company Qihoo 360 Core. The company’s security research team claims that the error uses a Microsoft Office document that has an installed vulnerability that opens a web page that downloads malware. According to the researchers, the malware exploits a user account control derivation attack (UAC), and also uses steganography of file, which is the technology of embedding a message, image or file inside another message, image or file.
Microsoft responded to the ZDNet comment request with the following fairly generic statement:
“Windows has a commitment from customers to investigate reported security issues and to proactively update affected devices as soon as possible.We recommend that customers use Windows 10 and the Microsoft Edge browser for the best protection.Our standard policy is to provide solutions through our current Update Calendar Tuesday. ”
Apparently, the attack is being carried out globally by an “advanced persistent threat group (APT)”. That implies a group of hackers with some capabilities that can carry out such a sophisticated attack. Unfortunately, there is not much that users can do at this time, except follow the usual security tips: keep your systems and software updated, make sure they are using enough malware protection and not open any files unless they are absolutely sure of that it is from a reliable source and that it was sent on purpose.