Microsoft has acknowledged a security flaw in its widely used Internet Explorer browser that could put online banking users at risk.
The software giant confirmed on Saturday that a security vulnerability exists in versions 6 through 11 of Internet Explorer, which is used by about one in four online consumers.
Microsoft describes the flaw as a remote code execution vulnerability. This means that a hacker who took advantage of the flaw could manipulate code from a remote server that fooled unsuspecting users into clicking on malicious links. Microsoft says it has so far seen "limited attacks" exploiting the vulnerability.
The software company is working to quickly develop patches to fix this broken bit of code and push the fixes to all users of the affected browsers.
Meanwhile, financial institutions can and should be taking steps to protect themselves and online banking customers from this potential risk.
"Given the volume of targets that are available, I imagine that this will be integrated into most popular crime kits straight away," says Al Pascual, a security and fraud analyst at Javelin Strategy & Research. So far, he has not heard of any banking malware programs leveraging this vulnerability.
Financial institutions would be well advised to prominently display a notice on their online banking portals and send advisory alerts to make customers aware of the vulnerability, Pascual says. He also recommends that they provide guidance on remediation measures, such as running IE in "enhanced protected mode."
The easiest targets for hackers will likely be Windows XP users, who are unlikely to ever get a patch to resolve the issue now that support for that operating system from Microsoft has ended. Banks and credit unions should encourage customers still using Windows XP to upgrade to a newer operating system or use an alternative browser such as Google Chrome.
"Consumers need their banks to look after their online banking security," says Avivah Litan, vice president at Gartner Research. "While banks do a pretty good job of making consumers whole if they suffer financial losses from unauthorized access to their accounts, they need to start doing more with regards to restricting the types of software consumers use to gain access."
Litan thinks financial institutions should take clear and strong measures to stop consumers from using vulnerable versions of IE, including blocking users of those browsers from logging into their sites.