Serious security flaw found in IE

[gem]

From BBC News, Technology

Serious security flaw found in IE
Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer users.

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer," said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified.

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. "It's just a question of modifying the payload the trojan installs."

Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites," said Mr Curran. "In terms of vulnerability, it only seems to be affecting IE7 users at the moment, but could well encompass other versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus Project and an expert on privacy and cyber security, echoed Trend Micro's warning.

"It won't be long before someone reverse engineers this exploit for more fraudulent purposes. Trend Mico's advice [of switching to an alternative web browser] is very sensible," he said.

PC Pro magazine's security editor, Darien Graham-Smith, said that there was a virtual arms race going on, with hackers always on the look out for new vulnerabilities.

"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but letting people know about this flaw was the right thing to do. If you keep flaws like this quiet, people are put at risk without knowing it."

"Every browser is susceptible to vulnerabilities from time to time. It's fine to say 'don't use Internet Explorer' for now, but other browsers may well find themselves in a similar situation," he added.

[gem]

From Sky News Technology

Microsoft will rush out an emergency fix for its Internet Explorer (IE) software after the discovery of a flaw which allows hackers to take over PCs.
The company says it will release a patch for the web browser today, rather than waiting for its regular security update next month.

The flaw was discovered last week and attacks are "spreading like wildfire", according to software security firm Trend Micro.

The company's senior security adviser Rik Ferguson told Sky News Online: "It's a flaw that affects every version of Explorer on all versions of Windows.
"The main problem is that there isn't a patch available, so it is very widespread."

Mr Ferguson explained that many cyber criminals operate by using malware - software that is installed on people's computers without them knowing.

The software can then run in the background and connect to servers elsewhere, giving it the potential to detect and then pass on confidential information.

He explained that many pieces of malware are 'injected' onto websites across the world, often by cybercriminals who install them by using sign-up forms or other methods of interacting with a website.

The malware then runs a piece of Javascript that can detect when the site is being accessed on Explorer, and it then activates and downloads the malicious software.

Trend Micro believes as many as 10,000 sites have already been compromised, though Mr Ferguson said it is impossible to know how many might have been hit.

His advice is to switch to another browser until the patch is released, as the malicious code only activates when it detects Explorer.

Microsoft has rejected this advice and instead recommends putting security settings at high and turning Vista onto protected mode.

Mr Ferguson said: "All of their solutions are going to make browsing less attractive, less interactive and a lot less normal."

John Curran, head of Microsoft's Windows commercial business group in the UK, said: "Obviously when you are talking about a customer base of over one billion people, any amount of vulnerability is too much and any type of infection is going to see a large number of people affected by it."

He added the flaw was primarily being exploited in China, where it has been used to steal passwords from gamers.

Concerned users should click here for the latest advice from Microsoft.

From BBC News Technology

Microsoft plans quick fix for IE
Microsoft is due to issue a patch to fix a security flaw believed to have affected as many as 10,000 websites.

The emergency patch should be available from 1800 GMT on 17 December, Microsoft has said.

The flaw in Microsoft's Internet Explorer browser could allow criminals to take control of people's computers and steal passwords.

Internet Explorer is used by the vast majority of computer users and the flaw could affect all versions of it.

So far the vulnerability has affected only machines running Internet Explorer 7.

"Microsoft teams worldwide have been working around the clock to develop a security update to help protect our customers," the software firm said in a statement.

"Until the update is available, Microsoft strongly encourages customers to follow the Protect Your Computer Guidance at www.microsoft.com/protect, which includes activating the Automatic Update setting in Windows to ensure that they receive the update as soon as it is available," the statement read.

Potential danger

According to Rick Ferguson, a senior security adviser at security firm Trend Micro, the flaw has so far been used to steal gaming passwords but more sensitive data could be at risk until the security update is installed.

"It is inevitable that it will be adapted by criminals. It's just a question of modifying the payload the trojan installs," he said.

It is relatively unusual for Microsoft to issue what it calls an "out-of-band" security bulletin and experts are reading the decision to rush out a patch as evidence of the potential danger of the flaw.

Some experts have suggested that users switch browsers until the flaw is fixed.

Firefox, Opera, Chrome and Apple's Safari system are not vulnerable to this current flaw.

But Graham Cluley, senior consultant with security firm Sophos, said no browser is exempt from problems.

"Firefox has issued patches and Apple has too. Whichever browser you are using you have to keep it up to date," he said.

"People have to be prepared and willing to install security updates. That nagging screen asking if you want to update should not be ignored," he said.

[Scoobs]

My IE was patched last night and also FF was upgraded to 3.05

[gem]

Same for me on Vista, XP is doing it now.