Microsoft has acknowledged a security flaw in its widely used Internet Explorer browser that could put online banking users at risk.
The software giant confirmed on Saturday that a security vulnerability exists in versions 6 through 11 of Internet Explorer, which is used by about one in four online consumers.
Microsoft describes the flaw as a remote code execution vulnerability. This means that a hacker who took advantage of the flaw could manipulate code from a remote server that fooled unsuspecting users into clicking on malicious links. Microsoft says it has so far seen "limited attacks" exploiting the vulnerability.
The vulnerability isn't necessarily easy for a cybercriminal to exploit.
"An attacker would have no ability to force users to visit these [compromised] websites," says Greg Garcia, advisor, Financial Services Information Sharing and Analysis Center. "Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message that takes users to the attacker's website."
The software company is working to quickly develop patches to fix this broken bit of code and push the fixes to all users of the affected browsers.
Meanwhile, banks can and should be taking steps to protect themselves and online banking customers from this potential risk.
"Given the volume of targets that are available, I imagine that this will be integrated into most popular crimekits straight away," says Al Pascual, a security and fraud analyst at Javelin Strategy & Research. So far, he has not heard of any banking malware programs leveraging this vulnerability.
Banks would be well advised to prominently display a notice on their online banking portals and send advisory alerts to make customers aware of the vulnerability, Pascual says. He also recommends that they provide guidance on remediation measures, such as running IE in "enhanced protected mode."
The easiest targets for hackers will likely be Windows XP users, who are unlikely to ever get a patch to resolve the issue now that support for that operating system from Microsoft has ended. Banks should encourage customers still using Windows XP to upgrade to a newer operating system or use an alternative browser such as Google Chrome.
"Consumers need their banks to look after their online banking security," says Avivah Litan, vice president at Gartner Research. "While banks do a pretty good job of making consumers whole if they suffer financial losses from unauthorized access to their accounts, they need to start doing more with regards to restricting the types of software consumers use to gain access."
Litan thinks banks should take clear and strong measures to stop consumers from using vulnerable versions of IE, including blocking users of those browsers from logging into their sites.