If you or any of your loved ones are still using Internet Explorer — and yes, I do mean true IE, not Microsoft Edge — then you probably already realize that you’re a good 15 years behind the times. But if you need a good nudge to get you (or your company’s IT department) off this addiction before it ruins more good families, this news should do it.
A hacking group is actively exploiting a zero-day exploit in Internet Explorer to infect Windows PCs with malware, according to researchers. A team from Qihoo 360’s Core security unit “say an advanced persistent threat (APT) group is using the IE vulnerability on a “global scale,” according to ZDNet. The vulnerability is being exploited using an infected Office document, loaded with something called a “double-kill” vulnerability.
In order for the malware to be triggered, users have to be Internet Explorer and choose to open the infected Office file. From there, the malware uses a well-known exploit to get around Windows’ User Account Control, those pop-up windows that are supposed to stop unverified scripts running.
The attack does require users to do two things they really shouldn’t — open unverified Office files, and use Internet Explorer — but the researchers are calling on Microsoft to issue an urgent patch to fix the issue nonetheless. Short of burning Internet Explorer to the ground (a rational choice, but one that users on institution IT systems don’t always have the option of), there’s nothing users can do to protect themselves right now.