Internet Explorer Vulnerability (4-28-2014)

Explorer Flaw Puts Online Banking Sites at Risk

SOURCE: BANK TECHNOLOGY NEWS                                       

APRIL 28, 2014 12:20pm ET

by Penny Crosman


Microsoft has acknowledged a security flaw in its widely used Internet Explorer (IE) browser that could put online banking users at risk.

The software giant confirmed on Saturday that a security vulnerability exists in versions 6 through 11 of IE, which is used by about one in four online consumers.

Microsoft describes the flaw as a remote code execution vulnerability. This means that a hacker who took advantage of the flaw could manipulate code from a remote server that fooled unsuspecting users into by clicking on malicious links. Microsoft says it has so far seen “limited attacks” exploiting the vulnerability.

The vulnerability isn't necessarily easy for a cybercriminal to exploit.

“An attacker would have no ability to force users to visit these compromised websites,” says Greg Garcia, advisor, Financial Services Information Sharing and Analysis Center. “Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes users to the attacker's website.”

The software company is working to quickly develop patches to fix this broken bit of code and push the fixes to all users of the affected browsers.

Meanwhile, banking customers should be taking steps to protect themselves from this potential risk.  For example you can use an alternative browser such as Google Chrome, Firefox or running IE in “enhanced protected mode.”

“Given the volume of targets that are available, I imagine that this will be integrated into most popular crime kits straight away,” says Al Pascual, a security and fraud analyst at Javelin Strategy & Research. So far, he has not heard of any banking malware programs leveraging this vulnerability.

The easiest targets for hackers will likely be Windows XP users, who are unlikely to ever get a patch to resolve the issue now that support for that operating system from Microsoft has ended. Banks should encourage customers still using Windows XP to upgrade to a newer operating system or use an alternative browser such as Google Chrome, Firefox or running IE in “enhanced protected mode.”