The company posted a security advisory on its website that confirmed it was investigating a flaw in its internet browser software after “limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer”.
According to Microsoft, hackers could gain access to a user’s computer by creating a “specially crafted website” and drawing them to it with a link in an email or message.
The US company was keen to point out that the vulnerability could not be forced on any user however, and that it was investigating the flaw.
A post on the Microsoft website said: “On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”
However, this new issue will be a worry for those Microsoft customers still using the company’s Windows XP operating system, as earlier this month support for it was ended, meaning no more updates or bug fixes would be sent out for that software. The desktop and mobile device maker told customers they should upgrade from the 12-year-old program in order to receive full coverage.
“At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalised”, said a spokesman for the company, who did not comment on the lack of coverage for XP users.
Online security firm Symantec responded to the news with a post on its own website, which encouraged users to switch to a different web browser in order to prevent any security attacks.
“Our testing confirmed that the vulnerability crashes Internet Explorer on Windows XP. This will be the first zero-day vulnerability that is not patched for Windows XP users, as Microsoft ended support for the operating system on April 8 2014. There is currently no patch available for this vulnerability and Microsoft has not at the time of writing provided a release date for one.”
According to Microsoft, any successful hacker would gain full access to the victim’s user account should a malicious link be followed, meaning the hacker would be able to change passwords and access any data linked to that account, including email and other personal data.
The flaw comes just weeks after the discovery of the Heartbleed bug - a two-year-old weakness in the encryption used to protect sensitive data such as passwords when they are sent between computers and servers, which is still being tackled with patches to fix affected websites.