WASHINGTON — A major security flaw in the web browser Internet Explorer has put more than 50 percent of all Internet users at risk.
“The fear is it will allow an attacker to essentially take over your machine,” says Allan Friedman, a research scientist at George Washington University and co- author of the book “Cybersecurity and Cyberwar: What Everyone Needs to Know.”
“This affects every version of Internet Explorer that is used on any PC. …that’s about 50 percent of the browser marketplace right now, so chances are about half of (WTOP) listeners are using Internet Explorer.”
Microsoft says the vulnerability affects versions 6 through 11 of Internet Explorer.
Internet Explorer is part of the Windows operating system and is the program most used to access the Internet.
“Essentially, if you visit a website that is run by an attacker, they can convince your computer to follow a set of instructions that will allow them to gain access,” Friedman says.
“They can gain all the data of your computer, they can turn your computer into part of a botnet that goes and attacks other machines around the world.”
The flaw is called a zero-day attack because it was being exploited before Microsoft knew, Friedman says. The issue had not been fixed as of Monday, April 28, so Friedman urges Internet users be very careful about how they’re using Internet Explorer.
“The safest and easiest thing is to use a different browser, you can use Firefox, you can use Google Chrome,” he says.
Currently, there is no way to tell if you’ve been affected, Friedman says. However, it doesn’t affect Mac users, so Safari should also be safe.
Microsoft encourages customers to enable a firewall, apply all software updates and install anti-malware software.
Friedman says the attack was not likely going after individual users.
“It was discovered as part of an attack against financial and defense contractors in this country, and potentially around the world.”
Microsoft Corp. said Saturday that it was aware of “limited, targeted attacks” that tried to exploit the security gap. The company is working on a fix which it plans to provide in a software update on May 13.
A division of the Homeland Security Department recommends that users download a security toolkit from Microsoft or use another browser until an update becomes available.
The Associated Press contributed to this story. Follow @WTOP on Twitter and on the WTOP Facebook page.