BBC News
Serious security flaw found in IE
Users of Microsoft's Internet Explorer are being urged by experts to
switch to a rival until a serious security flaw has been fixed.
The flaw in Microsoft's Internet Explorer could allow criminals to
take control of people's computers and steal their passwords, internet
experts say.
Microsoft urged people to be vigilant while it investigated and
prepared an emergency patch to resolve it.
Internet Explorer is used by the vast majority of the world's computer users.
"Microsoft is continuing its investigation of public reports of
attacks against a new vulnerability in Internet Explorer," said the
firm in a security advisory alert about the flaw.
Microsoft says it has detected attacks against IE 7.0 but said the
"underlying vulnerability" was present in all versions of the browser.
Other browsers, such as Firefox, Opera, Chrome, Safari, are not
vulnerable to the flaw Microsoft has identified.
Browser bait
"In this case, hackers found the hole before Microsoft did," said Rick
Ferguson, senior security advisor at Trend Micro. "This is never a
good thing."
As many as 10,000 websites have been compromised since the
vulnerability was discovered, he said.
"What we've seen from the exploit so far is it stealing game
passwords, but it's inevitable that it will be adapted by criminals,"
he said. "It's just a question of modifying the payload the trojan
installs."
MICROSOFT SECURITY ADVICE
Change IE security settings to high (Look under Tools/Internet Options)
Switch to a Windows user account with limited rights to change a PC's settings
With IE7 or 8 on Vista turn on Protected Mode
Ensure your PC is updated
Keep anti-virus and anti-spyware software up to date
Said Mr Ferguson: "If users can find an alternative browser, then
that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw," said John
Curran, head of Microsoft UK's Windows group.
He added: "We're trying to get this resolved as soon as possible.
"At present, this exploit only seems to affect 0.02% of internet
sites," said Mr Curran. "In terms of vulnerability, it only seems to
be affecting IE7 users at the moment, but could well encompass other
versions in time."
Richard Cox, chief information officer of anti-spam body The Spamhaus
Project and an expert on privacy and cyber security, echoed Trend
Micro's warning.
"It won't be long before someone reverse engineers this exploit for
more fraudulent purposes. Trend Mico's advice [of switching to an
alternative web browser] is very sensible," he said.
This could be the moment when the minnows in the browser wars finally
score a significant victory
Rory Cellan-Jones
BBC technology editor
Read the dot.life blog in full
PC Pro magazine's security editor, Darien Graham-Smith, said that
there was a virtual arms race going on, with hackers always on the
look out for new vulnerabilities.
"The message needs to get out that this malicious code can be planted
on any web site, so simple careful browsing isn't enough."
"It's a shame Microsoft have not been able to fix this more quickly,
but letting people know about this flaw was the right thing to do. If
you keep flaws like this quiet, people are put at risk without knowing
it."
"Every browser is susceptible to vulnerabilities from time to time.
It's fine to say 'don't use Internet Explorer' for now, but other
browsers may well find themselves in a similar situation," he added.
Do you use Microsoft's Internet Explorer? Have you been a victim of
internet crime? Send your comments to the BBC using the form below:
