Microsoft is warning users of a new zero-day flaw in Internet Explorer that could affect hundreds of millions of people.
It’s released a free piece of security software, the Enhanced Mitigation Experience Toolkit (EMET), and is urging users to install it as soon as possible. A full update should appear in the next week or so.
“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” says Yunsun Wee, director of the company’s Trustworthy Computing Group.
The flaw is present in IE versions 7, 8 and 9, and affects machines running XP, Vista and Windows 7. According to security firm Rapid7, as many as 41 percent of internet users in North America and 32 percent worldwide are at risk.
Hackers are already exploiting the flaw, says Microsoft.
The bug was discovered by Luxembourgeois security researcher Eric Romang, when his own PC was infected by a piece of malicious software known as Poison Ivy.
He says he believes it’s the work of a group named Nitro, responsible for a series of attacks on the chemical and defense industries last year and – tentatively – traced to China.
The discovery could be a big blow for Microsoft, with Internet Explorer down to just a third of the browser market – and falling. Many users will no doubt find it easier to just switch to Chrome or Firefox, rather than download the EMET tool and then wait for the security update.
The toolkit is here.