Microsoft has informed customers that cyber-criminals are exploiting an unpatched and critical vulnerability in Internet Explorer (IE) using "drive-by" attacks.
"Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11," the company said in a security advisory.
According to Microsoft, the attacks have been launched against IE users tricked into visiting malicious websites. Such attacks, dubbed "drive-bys," are among the most dangerous because a vulnerable browser can be hacked as soon as its user surfs to the URL.
All currently-supported versions of IE are at risk, Microsoft said, including 2001's IE6, which still receives patches on Windows Server 2003. The same browser will not be repaired on Windows XP, as the operating system was retired from patch support on April 8.
The IE flaw was the first post-retirement bug affecting XP.
And that's important.
Because Microsoft will eventually patch the drive-by bug in IE6, IE7 and IE8, then deliver those patches to PCs running Windows Vista and Windows 7, it's likely that hackers will be able to uncover the flaw in the browsers' code, then exploit it on the same browsers running on Windows XP.
Microsoft said that was the biggest risk of running XP -- and IE on it -- after the operating system was retired, claiming last year that XP was 66% more likely to be infected with malware once patching stopped.
Windows XP users can make it more difficult for attackers to exploit the IE bug by installing the Enhanced Mitigation Experience Toolkit (EMET) 4.1, an anti-exploit utility available on Microsoft's website.
The security advisory included other steps customers can take to reduce risk. Among them is to "unregister" the vgx.dll file. That .dll (for dynamic-link library) is one of the modules that renders VML (vector markup language) within Windows and IE.
Another way Windows XP users can avoid IE-based attacks is to switch to an alternate browser, like Google's Chrome or Mozilla's Firefox. Both will continue to receive security updates for at least the next 12 months.
Microsoft did not explicitly promise a patch, but it will almost certainly issue one. The next regularly-scheduled Patch Tuesday is May 13, just over two weeks away.
The company has been very reticent of late to ship emergency patches, called "out-of-band" or "out-of-cycle" updates. In this case, the most likely scenario under which it would issue a quick fix was if the number of attacks quickly climbed.
Although IE6 through IE11 are vulnerable, the attacks seen so far have targeted only IE9, IE10 and IE11, according to FireEye, whose researchers spotted the active exploits. On Saturday, FireEye published more information about the attacks, which it labeled "Operation Clandestine Fox" on its own blog.
On that blog, FireEye called the flaw "a significant zero day" and said that the current exploits rely in part on the presence of Adobe Flash Player. "Disabling the Flash plug-in within IE will prevent the exploit from functioning," FireEye wrote.
FireEye said the hacker group behind the IE exploit is a sophisticated gang that has launched browser-based attacks in the past.
"The APT [advanced persistent threat] group responsible for this exploit has been the first group to have access to a select number of browser-based 0-day exploits (e.g. IE, Firefox, and Flash) in the past," Firefox claimed. "They are extremely proficient at lateral movement and are difficult to track, as they typically do not reuse command and control infrastructure."
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.