|
Users of Microsoft's Internet Explorer
are being urged by experts to switch to a rival until a
serious security flaw has been fixed.
The flaw in Microsoft's Internet Explorer could allow
criminals to take control of people's computers and steal
their passwords, internet experts say.
Microsoft urged people to be vigilant while it
investigated and prepared an emergency patch to resolve it.
Internet Explorer is used by the vast majority of the
world's computer users.
Microsoft is continuing its investigation of public
reports of attacks against a new vulnerability in Internet
Explorer," said the firm in a security advisory alert about
the flaw.
Microsoft says it has detected attacks against IE 7.0 but
said the "underlying vulnerability" was present in all
versions of the browser.
Other browsers, such as Firefox, Opera, Chrome, Safari,
are not vulnerable to the flaw Microsoft has identified.
Browser bait
"In this case, hackers found the hole before Microsoft
did," said Rick Ferguson, senior security advisor at Trend
Micro. "This is never a good thing."
As many as 10,000 websites have been compromised since
the vulnerability was discovered, he said.
"What we've seen from the exploit so far is it stealing
game passwords, but it's inevitable that it will be adapted
by criminals," he said. "It's just a question of modifying
the payload the trojan installs."
Said Mr Ferguson: "If users can find an alternative
browser, then that's good mitigation against the threat."
But Microsoft counselled against taking such action.
"I cannot recommend people switch due to this one flaw,"
said John Curran, head of Microsoft UK's Windows group.
He added: "We're trying to get this resolved as soon as
possible.
"At present, this exploit only seems to affect 0.02% of
internet sites," said Mr Curran. "In terms of vulnerability,
it only seems to be affecting IE7 users at the moment, but
could well encompass other versions in time."
Richard Cox, chief information officer of anti-spam body
The Spamhaus Project and an expert on privacy and cyber
security, echoed Trend Micro's warning.
"It won't be long before someone reverse engineers this
exploit for more fraudulent purposes. Trend Mico's advice
[of switching to an alternative web browser] is very
sensible," he said.
PC Pro magazine's security editor, Darien Graham
Smith, said that there was a virtual arms race going on,
with hackers always on the look out for new vulnerabilities.
"The message needs to get out that this malicious code
can be planted on any web site, so simple careful browsing
isn't enough."
"It's a shame Microsoft have not been able to fix this
more quickly, but letting people know about this flaw was
the right thing to do. If you keep flaws like this quiet,
people are put at risk without knowing it."
"Every browser is susceptible to vulnerabilities from
time to time. It's fine to say 'don't use Internet Explorer'
for now, but other browsers may well find themselves in a
similar situation," he added.
|
