Announcing that attackers have let loose malicious software to take advantage of an unpatched bug in Internet Explorer; Microsoft has urged users to run a complete system scan on its new Windows Live Safety Center, for the purpose of detecting and deleting this malicious code.
Microsoft has said that both proof-of-concept and an exploit code are in circulation, and that the exploit code can compromise PCs running IE on Windows 98, Windows Millennium Edition, Windows 2000, and Windows XP operating systems.
A hacker can gain complete control of vulnerable systems, by hosting malicious code on a Web site. In the event an IE user visits such a site, the malicious program will run sans any user interaction.
The security bug in IE was originally reported to Microsoft in May, however it was initially thought to allow only a denial-of-service (DOS) attack, rendering IE to close.
Recent research by security vendor, Computer Terrorism, says that the flaw can be used to hijack a machine simply by luring users to a malicious Web site. Security vendor Secunia, has given the problem an “extremely critical” rating.
Microsoft has not as yet produced a patch for the vulnerability; but has advised customers to visit its free-of-charge Windows Live Safety Center and use the Complete Scan option therein to check-for and remove the malicious software.
In its security advisory, Microsoft has said that it will either provide a security update through its monthly release, or will provide an out-of-cycle security update, depending on customer needs.
However Microsoft’s advisory does include several work-arounds to deflect possible attacks including clicking on the Custom Level button, disabling Active scripting in Internet Explorer by choosing Tools/Internet Options, scrolling to the Scripting section, clicking the Security tab, and selecting the Disable radio button next to Active scripting.
0 Responses to “IE Unplugged Attracts Hackers”