Dec 17, 2008

Tech - Microsoft releasing emergency patch for perilous IE flaw

Glenn Chapman

SAN FRANCISCO (AFP) – Microsoft will release an emergency patch on Wednesday to fix a perilous software flaw allowing hackers to hijack Internet Explorer browsers and take over computers.

The US software giant said on Tuesday that in response to "the threat to customers" it immediately mobilized security engineering teams worldwide to deliver a software cure "in the unprecedented time of eight days."

According to researchers at software security firm Trend Micro, attacks based on the vulnerability in the world's most popular Web browser are spreading "like wildfire" with millions of computers already compromised.

Microsoft typically releases patches for its software on the second Tuesday of each month and rushing this fix to computer users out-of-cycle is testimony to the severe danger of the threat, according to Trend Micro.

"When the patch is released people should run, not walk, to get it installed," said Trend Micro advanced threat researcher Paul Ferguson.

"This vulnerability is being actively exploited by cyber-criminals and getting worse every day."

Trend Micro has identified about 10,000 websites that have been infected with malicious software that can be surreptitiously slipped into visitors' unprotected IE browsers to take advantage of the flaw.

A major Internet portal in Taiwan is among the legitimate websites unknowingly tainted with malicious software aimed at IE's weak spot, according to Ferguson.

Hackers can take control of infected computers, steal data, redirect browsers to dubious websites, and use machines for devious activities such as attacks on other networks, according to security specialists.

"What makes this so insidious is it takes advantage of a big gaping hole of IE, which has the largest install base of any browser on the market," Ferguson said.

IE is used on nearly three-quarters of the world's computers, according to industry statistics from November.

"At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said Microsoft security response communications head Christopher Budd.

"Microsoft encourages customers to test and deploy this update as soon as possible. Microsoft's teams worked around the clock."

Ferguson said the flaw is being taken advantage of in "multiple versions" of IE not just the most current.

Trend Micro urges IE users to heed precautionary advice from Microsoft, or avoid using the browsers, until the patches are applied.

"There is a working flaw circulating in the criminal underground," Ferguson said. "It opens the window of opportunity that much wider to take advantage and there has not been real protection against it."

The "exploit" is similar to one used recently to steal user names, passwords and other information from people playing online games in China, according to Trend Micro.

A Chinese computer security firm that had discovered attacks taking advantage of the IE flaw released details last week after evidently thinking Microsoft had fixed the problem with routinely released software patches.

"It spread like wildfire from there," Ferguson said. "I guess they were trying to be responsible and share what they knew about what was going on, but they were mistaken about it being patched."

No comments: