Microsoft is warning Internet Explorer users to be hyper-vigilant to phishing attacks after it discovered a major flaw in the web browser was being actively exploited by hackers.
The company is yet to issue a patch for the remote code execution vulnerability, which affects all supported Windows desktop and server versions, as well as the out-of-support Windows 7 and Server 2008.
An attacker who successfully exploits the flaw could gain the same user rights as the current user and run code of their choice on the victim’s system.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said.
One way a hacker could exploit the flaw is by sending a phishing email or other message that drives the user to a specially crafted malicious website in IE.
While Microsoft said it was aware of hackers actively exploiting the flaw, it described these instances as “limited targeted attacks”, believed to be part of a wider hacking campaign also targeting Firefox users.
Internet Explorer is no longer the default browser in the latest versions of Windows, but still comes installed with the operating system and remains the browser of choice for many legacy applications.