Microsoft Corp. has issued a security advisory about a flaw in its Internet Explorer Web browser which could allow hackers to install programs on a user’s machine.
The bug affects Internet Explorer 6, 7, 8, 9, 10 and 11.
“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” according to the advisory. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in context of the current user within Internet Explorer.”
Microsoft warned that an attacker could host a Web site that is designed to exploit the vulnerability and then entice a user to visit the site.
This could be bad news for organization and individuals who are still using the Windows XP operating system. Microsoft officially stopped issuing security updates for its 13-year-old OS on April 8. The OS will not receive the required patch for this vulnerability, which happens to be the first known bug to affected XP since support for it was halted.
The United States Computer Emergency Response Team (CERT) recommended on Sunday that users and administrators enable Microsoft Enhanced Mitigation Experience Toolkit (EMET) issued by Microsoft to help prevent exploitation of the vulnerability. CERT also recommend the use of an alternative Web browser until an official update is available.
The company said it is investigating the flaw and will take action to protect its customers. Remediating action could include “providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on our customer needs.”
This is not the only bad news to face XP users in the past few days.
Also last week, an update to Microsoft Security Essentials crashed Windows XP computers.
The update to the company’s free anti-malware software caused a variety of Microsoft operating systems to restart and then fail to reboot. A lot of retailers still use point-of-sale systems that run XP, They also use MSE to meet Payment Card Industry (PCI) security requirements.
One workaround was to uninstall MSE. However, when users attempted to reinstall MSE it would no longer with the XP machines since the OS is no longer supported by Microsoft.
Microsoft said that the MSE problem has been fixed.