Red Moon
16-12-2008, 03:06 PM
Internet Explorer users warned to change browser over security fearsMicrosoft admitted today that a serious flaw in security has left all users of Internet Explorer, the default web browser for most people, vulnerable to attack from hackers.
The loophole allows criminals to commandeer victims’ computers by tricking them into visiting tainted websites that steal passwords. Computer users are advised to switch to an alternative internet browser, such as Firefox or Google Chrome, to be certain to avoid hackers who have so far corrupted an estimated 10,000 websites.
Microsoft said they are considering the release of an emergency update, which would close the flaw. The computing company claims that it has only detected attacks on Internet Explorer 7, the most common version of the programme, but warned that other versions are also potentially vulnerable. A spokesman today estimated that one in 500 internet users had been affected.
The hack was initially devised by Chinese criminals, who have been stealing computer game passwords that can be sold on the black market. However, Paul Ferguson, a security researcher for Trend Micro Inc, said the security breach is so severe that it could be “adopted by more financially motivated criminals for more serious mayhem - that’s a big fear right now.”
Since the security flaw was reported late last week, Microsoft said there has been a marked increase in new attacks attempting to make use of the vulnerability. These opportunistic hackers who exploit known security breaches are called “zero-day” attackers.
“Zero-day” threats occur as hackers race against software makers to attack the affected programmes, such as Explorer, before the known problems are repaired.
Microsoft said it is investigating the flaw and is considering fixing it through an emergency software patch outside of its normal monthly updates.
John Curran, a spokesman for Microsoft, said: “Right now it’s affecting about 0.2 per cent of users who may have come in touch with the vulnerability.
“It has the potential to move world wide rather quickly so it’s a significant issue and that’s why Microsoft is working diligently to get it resolved as quickly as possible.
“We are recommending four steps which would protect you from the vulnerabilities we know today but there could be variations to the vulnerabilities.
“Obviously the chance for this to be exploited is there.”
The company is telling users to employ a series of complicated workarounds to minimise the threat. It has been suggested that increasing the internet security zone level to high and disabling Ole32db.dll in the access control list could help protect a computer.
Many security experts, though, have advised Internet Explorer users switch to another browser until an update is released. The next scheduled patch is not due until January 13, in the New Year, but it is not unusual for Microsoft to release an emergency patch.
[b]Microsoft’s advice for Internet Explorer users
1. Keep your anti-virus up-to-date. Microsoft has circulated the definitions of these vulnerabilities to all the major anti-virus providers.
2. Reset Internet Explorer to run in protected mode. This is the default mode in Windows Vista but not XP or the earlier version.
3. Set zone security to high.
4. Ensure Windows is updated. You can do this manually through Windows updater or set it to automatic updates.
More complex and comprehensive approaches are listed on the Microsoft website .
Source: The Times (http://technology.timesonline.co.uk/tol/news/tech_and_web/article5351749.ece)
The loophole allows criminals to commandeer victims’ computers by tricking them into visiting tainted websites that steal passwords. Computer users are advised to switch to an alternative internet browser, such as Firefox or Google Chrome, to be certain to avoid hackers who have so far corrupted an estimated 10,000 websites.
Microsoft said they are considering the release of an emergency update, which would close the flaw. The computing company claims that it has only detected attacks on Internet Explorer 7, the most common version of the programme, but warned that other versions are also potentially vulnerable. A spokesman today estimated that one in 500 internet users had been affected.
The hack was initially devised by Chinese criminals, who have been stealing computer game passwords that can be sold on the black market. However, Paul Ferguson, a security researcher for Trend Micro Inc, said the security breach is so severe that it could be “adopted by more financially motivated criminals for more serious mayhem - that’s a big fear right now.”
Since the security flaw was reported late last week, Microsoft said there has been a marked increase in new attacks attempting to make use of the vulnerability. These opportunistic hackers who exploit known security breaches are called “zero-day” attackers.
“Zero-day” threats occur as hackers race against software makers to attack the affected programmes, such as Explorer, before the known problems are repaired.
Microsoft said it is investigating the flaw and is considering fixing it through an emergency software patch outside of its normal monthly updates.
John Curran, a spokesman for Microsoft, said: “Right now it’s affecting about 0.2 per cent of users who may have come in touch with the vulnerability.
“It has the potential to move world wide rather quickly so it’s a significant issue and that’s why Microsoft is working diligently to get it resolved as quickly as possible.
“We are recommending four steps which would protect you from the vulnerabilities we know today but there could be variations to the vulnerabilities.
“Obviously the chance for this to be exploited is there.”
The company is telling users to employ a series of complicated workarounds to minimise the threat. It has been suggested that increasing the internet security zone level to high and disabling Ole32db.dll in the access control list could help protect a computer.
Many security experts, though, have advised Internet Explorer users switch to another browser until an update is released. The next scheduled patch is not due until January 13, in the New Year, but it is not unusual for Microsoft to release an emergency patch.
[b]Microsoft’s advice for Internet Explorer users
1. Keep your anti-virus up-to-date. Microsoft has circulated the definitions of these vulnerabilities to all the major anti-virus providers.
2. Reset Internet Explorer to run in protected mode. This is the default mode in Windows Vista but not XP or the earlier version.
3. Set zone security to high.
4. Ensure Windows is updated. You can do this manually through Windows updater or set it to automatic updates.
More complex and comprehensive approaches are listed on the Microsoft website .
Source: The Times (http://technology.timesonline.co.uk/tol/news/tech_and_web/article5351749.ece)