Serious security flaw found in IE

Fifteen · 16-12-2008, 12:31 PM

Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.
The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.
Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.
Internet Explorer is used by the vast majority of the world's computer users.

It's a shame Microsoft have not been able to fix this more quickly

Darien Graham-Smith
PC Pro magazine

Q&A: Stay safe online

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer," said the firm in a security advisory alert about the flaw.
Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.
Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified.
As many as 10,000 websites have been compromised since last week to take advantage of the security flaw, said antivirus software maker Trend Micro.
The websites have been mostly serving up programs that steal computer game passwords, but the flaw could be "adopted by more financially motivated criminals", a Trend Micro security researcher said on Monday.

MICROSOFT SECURITY ADVICE
Change IE security settings to high (Look under Tools/Internet Options)
Switch to a Windows user account with limited rights to change a PC's settings
With IE7 or 8 on Vista turn on Protected Mode
Ensure your PC is updated
Keep anti-virus and anti-spyware software up to date

Richard Cox, chief information officer of anti-spam body The Spamhaus Project and an expert on privacy and cyber security, echoed Trend Micro's warning.
"It won't be long before someone reverse engineers this exploit for more fraudulent purposes. Trend Mico's advice [of switching to an alternative web browser] is very sensible," he said.
PC Pro magazine's security editor, Darien Graham-Smith, said that there was a virtual arms race going on, with hackers always on the look out for new vulnerabilities.
"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."
"It's a shame Microsoft have not been able to fix this more quickly, but letting people know about this flaw was the right thing to do. If you keep flaws like this quiet, people are put at risk without knowing it." "Every browser is susceptible to vulnerabilities from time to time. It's fine to say 'don't use Internet Explorer' for now, but other browsers may well find themselves in a similar situation," he added.

http://news.bbc.co.uk/1/hi/technology/7784908.stm

..

~~Blinger1~~ · 16-12-2008, 12:38 PM

Yep, wrong section and has been posted.
http://www.habboxforum.com/showpost....25&postcount=2

Xarea · 16-12-2008, 12:41 PM

This is why you use Firefox.

~~Pyroka~~ · 16-12-2008, 01:03 PM

LOL This is why I call IE a crap browser, full stop.

Decode · 16-12-2008, 04:59 PM

The exploit is a typical heap overflow that appears to be exploiting something in the XML parser ... What is also interesting ... is that it waits 6 seconds before executing the code – this was probably added to thwart automatic crawlers by anti-virus vendors.
...
Windows Server 2008 and Vista (both SP0 and SP1) are affected as well. The exploit for Windows Vista is publicly available now as well ... we received log files showing that attackers [are now] using SQL injection.
...
The attackers are picking this quickly so make sure that you are following recommendations from Microsoft's advisory which will help reduce exposure or, if you can, use an alternative browser until this has been fixed.

More info