A new flaw in Microsoft’s Internet Explorer has come to light, but the software giant does not expect to issue a patch for it until April 11. However, at least two outside firms have issued patches that may be used in the interim.
The Microsoft vulnerability exploits the way Internet Explorer handles HTML code objects, according to Sandeep Dhameja, senior security consultant at SpiderLabs, the forensics and penetration testing division of AmbironTrustWave.
The flaw affects fully patched Windows XP SP2 computer systems running both Internet Explorer version 6.0 and the latest version 7 Beta 2 (January 2006 edition) browser applications, Dhameja told TechNewsWorld.
“The exploit code for this vulnerability is available on the Internet, and it allows hackers to commandeer vulnerable computers by tricking Web surfers to visit Web sites containing malicious code,” he said. “Once such a site is visited, malicious code will attempt to infect the computer system with keystroke loggers — backdoor applications [that] not only attempt to steal payment card information but also online banking information including debit card transaction data.”
200 and Counting
There are some 200 Web sites already infected with the malicious code that exploits the IE vulnerability, Scott Carpenter, director of the Secure Elements security labs, told TechNewsWorld.
“There have been reports that a developer [for a major enterprise resource planning vendor] had his password stolen after visiting on the sites,” he said.
A lot of damage can occur prior to Microsoft’s April 11 target for issuing a patch, Carpenter pointed out. It is likely that Microsoft will work hard to speed up its release, he suggested, especially as two other firms have already offered their own fixes.
“I am not sure Microsoft can handle the bad press of having a non-Microsoft patch — two of them — out there,” he remarked.
Microsoft is proposing a temporary workaround by having users disable their active scripts setting within the Internet Explorer browser.
This “answer” places the burden on the users, though, Carpenter said. “What we have now is a browser that is vulnerable to malware, so Microsoft wants users to disable most of it and follow safe browsing practices until it releases its patch.”
Then there are the patches two Internet security firms have released. They are not designed as permanent solutions, Dave Mason, host of the nationally syndicated ComputerTalk radio show and technology consultant, told TechNewsWorld.
“I generally don’t recommend third-party patches. Microsoft has enough trouble getting it right; third parties should be viewed very skeptically. I would recommend waiting for the Microsoft patch,” he urged.
That may seem like sound advice — unless, of course, your password to an ERP vendor’s development site has been stolen.