Although officials have confirmed that a security vulnerability in the Internet Explorer browser has been exploited by hackers, Microsoft says it has no immediate plans to fix the problem. US-CERT, a certified Twitter account affiliated with the U.S. Department of Homeland Security that reports major security breaches, detailed the IE vulnerability in a recent tweet and described it as “exploited by hackers.”
Microsoft says all currently supported Windows systems are affected, including Windows 7, which ended this week, meaning there are no security updates to fix the vulnerability. The vulnerability exists in the way that Internet Explorer handles memory, and could allow an attacker to remotely run malicious code on the affected computer, such as tricking a user to open a malicious Web site through a search query or a link sent by e-mail.
Earlier this week, Mozilla revealed a similar vulnerability. The vulnerability was reported to Microsoft and Mozilla by Qihoo 360, a well-known domestic security company. Earlier this week, Qihoo 360’s official Twitter account also deleted a tweet about a similar vulnerability in Internet Explorer.
Qihoo 360, Microsoft and Mozilla did not say how the attackers exploited the vulnerability, who the attacker was or was targeted at. The U.S. government’s cybersecurity advisory division has also issued warnings about current exploits.
Microsoft told TechCrunch that it was “aware of the limited targeted attacks” and was “working on patches”, but that it was unlikely to release the patches before the next monthly security patch is scheduled for February 11. Microsoft assigned a common vulnerability identifier, CVE-2020-0674, to the vulnerability, but details of the vulnerability have not been released.