Serious security flaw found in Internet Explorer

Contributed by editor on Dec 16, 2008 - 12:00 AM

The following story is published on the BBC
website today (16 December). Readers may wish to take the
recommended precautions.

<script type="text/javascript"

'Users of Microsoft's Internet Explorer are being
urged by experts to switch to a rival until a serious security flaw has
been fixed.

The flaw in Microsoft's Internet Explorer could
allow criminals to take control of people's computers and steal their
passwords, internet experts say.

Microsoft urged people to be vigilant while it
investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of
the world's computer users.

"Microsoft is continuing its investigation of
public reports of attacks against a new vulnerability in Internet
Explorer," said the firm in a security advisory alert about the

Microsoft says it has detected attacks against
IE 7.0 but said the "underlying vulnerability" was present in all
versions of the browser.

Other browsers, such as Firefox, Opera,
Chrome, Safari, are not vulnerable to the flaw Microsoft has

Browser bait

"In this case, hackers found the hole before
Microsoft did," said Rick Ferguson, senior security advisor at Trend
Micro. "This is never a good thing."

As many as 10,000 websites have been
compromised since the vulnerability was discovered, he said.

"What we've seen from the exploit so far is it
stealing game passwords, but it's inevitable that it will be adapted
by criminals," he said. "It's just a question of modifying the
payload the trojan installs."

Said Mr Ferguson: "If users can find an
alternative browser, then that's good mitigation against the

But Microsoft counselled against taking such

"I cannot recommend people switch due to this
one flaw," said John Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved
as soon as possible.

"At present, this exploit only seems to affect
0.02% of internet sites," said Mr Curran. "In terms of
vulnerability, it only seems to be affecting IE7 users at the
moment, but could well encompass other versions in time."

Richard Cox, chief information officer of
anti-spam body The Spamhaus Project and an expert on privacy and
cyber security, echoed Trend Micro's warning.

"It won't be long before someone reverse
engineers this exploit for more fraudulent purposes. Trend Micro's
advice [of switching to an alternative web browser] is very
sensible," he said.

PC Pro magazine's security editor, Darien
Graham-Smith, said that there was a virtual arms race going on, with
hackers always on the look out for new vulnerabilities.

"The message needs to get out that this
malicious code can be planted on any web site, so simple careful
browsing isn't enough."

"It's a shame Microsoft have not been able to
fix this more quickly, but letting people know about this flaw was
the right thing to do. If you keep flaws like this quiet, people are
put at risk without knowing it."

"Every browser is susceptible to
vulnerabilities from time to time. It's fine to say 'don't use
Internet Explorer' for now, but other browsers may well find
themselves in a similar situation," he added.'