Following Microsoft's announcement that a security flaw in its widely used Internet Explorer browser could put online banking users at risk, credit unions are scrambling to ensure that their IT systems are protected.
The software giant confirmed over the weekend that a security vulnerability exists in versions 6 through 11 of Internet Explorer, which is used by about one in four online consumers.
Microsoft described the flaw as a remote code execution vulnerability. That means a hacker who took advantage of the flaw could manipulate code from a remote server that fooled unsuspecting users into clicking on malicious links.
Nicole Tutt, information security officer for $1.8 billion Spokane Teachers CU, Liberty Lake, Wash., told Credit Union Journal the situation is "very dynamic" as researchers discovered a vulnerability in Adobe's Flash plug-in on Monday.
"Adobe released a patch [on Monday] that addresses a flaw in the Flash plug-in. Based on what I am reading this will address the situation as long as people update their browsers," said Tutt, who noted the Flash issue affects Chrome, Firefox and Internet Explorer, but IE was the only browser being exploited.
Microsoft said it is working to quickly develop patches to fix this broken bit of code and push the fixes to all users of the affected browsers.
Meanwhile, credit unions and other financial institutions can and should be taking steps to protect themselves and online banking customers from this potential risk, say industry experts.
"Given the volume of targets that are available, I imagine that this will be integrated into most popular crime kits straight away," said Al Pascual, a security and fraud analyst at Javelin Strategy & Research. So far, he has not heard of any banking malware programs leveraging this vulnerability.
Financial institutions should prominently display a notice on their online banking portals and send advisory alerts to make customers aware of the vulnerability, Pascual said. He also recommended that they provide guidance on remediation measures, such as running IE in "enhanced protected mode."
Since the Internet Explorer flaw was announced, Tutt said STCU has been relying on its intrusion-prevention system to help identify if there is an attack.
"That is what we implemented as we waited for a patch to come out," she said. "Now that the Adobe patch is here we will implement for a test group and, if we see no issues in the next 24 hours, we will implement for the rest of the credit union."
Tutt said she still is in the process of going through logs, but she has not seen any exploitation attempts via any IE flaw yet.
"I have been doing this for a while so I don't get too worked up, but it does seem as if these attacks are becoming more frequent," she said.
— Penny Crosman contributed to this article.