Internet Explorer browser vulnerable to hijacking

[canuck]

SAN FRANCISCO - Users of all current versions of Microsoft Corp.'s Internet Explorer browser might be vulnerable to having their computers hijacked because of a serious security hole in the software that had yet to be fixed Monday.

The flaw lets criminals commandeer victims' machines merely by tricking them into visiting Web sites tainted with malicious programming code. As many as 10,000 sites have been compromised since last week to exploit the browser flaw, according to antivirus software maker Trend Micro Inc.

The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market. However, the hole is such that it could be "adopted by more financially motivated criminals for more serious mayhem — that's a big fear right now," Paul Ferguson, a Trend Micro security researcher, said Monday.

"Zero-day" vulnerabilities like this are security holes that haven't been repaired by the software makers. They're a gold mine for criminals because users have few ways to fight off attacks.

The latest vulnerability is noteworthy because Internet Explorer is the default browser for most of the world's computers. Also, while Microsoft says it has detected attacks only against version 7 of Internet Explorer, which is the most widely used edition, the company warned that other versions are also potentially vulnerable.

Microsoft said it is investigating the flaw and is considering fixing it through an emergency software patch outside of its normal monthly updates, but declined further comment. The company is telling users to employ a series of complicated workarounds to minimize the threat.

Many security experts, meanwhile, are urging Internet Explorer users to use another browser until a patch is released.

___

On the Net:

Microsoft's advisory:

http://www.microsoft.com/technet/securi ... 61051.mspx

[Fat Bob]

So what happens if you have decent anti-virus, spyware and firewall protection? Does this still apply?

And has anyone found a program that abuses this vulnerability yet? Or is it something that MS will fix prior to the program being run?

Anyhow, luckily we have a random-number generator with Singapore banks (either a dongle or SMS code).

[Jedi]

The story from Microsoft.

http://www.microsoft.com/technet/securi ... 61051.mspx

[Kooky]

Now what we need is the real story from an IT security expert.

If only we knew one...

[SunshineAfterRain]

May I ask which version of IE are you currently using? I have installed and been using IE 8 and I have yet to receive an hackers/intruders alert from my anti-virus programmes.

Time to upgrade if you are still using IE7.

[Jedi]

Reminder about IE8 (from the horses mouth):

Beta software is at a stage in the development process where it is ready to be evaluated by users while still undergoing testing. Internet Explorer 8 Beta 2 is close to its final release, but you may encounter a few bugs or compatibility issues while browsing websites.

If you're okay with using a beta product, install Internet Explorer 8 Beta 2 and take it for a test drive. We think you'll agree that it's faster, safer, and easier to use than ever. If you don't like it you can easily uninstall it whenever you want.

You can find uninstall instructions at our support page for Internet Explorer 8.

We understand if you feel uncomfortable installing beta software. Check this website in the coming months to see when the "final" version of Internet Explorer 8 is available.