ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

IE users brace for attack

Elinor Mills CNET News.com

Published: 24 Mar 2006 11:10 GMT

Code that takes advantage of a security hole in Internet Explorer has been published on the Web and could be used by someone to unleash an email virus that could put people's computers and data at risk, Microsoft and security experts said on Thursday.

As with many such attacks, malicious code could sneak onto an unwitting victim's computer after the user is enticed to open an email attachment containing the code or lured to visit a Web site with the code hidden in it. Once the computer is infected, an attacker could take control of the machine remotely, steal data and use the computer to attack others.

"We have seen examples of proof-of-concept code, but we are not aware of attacks that try to use the reported vulnerabilities, or of customer impact, at this time," Microsoft said in a security advisory posted on its Web site.

People using fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 are affected. Customers who use IE 7 Beta 2 Preview, which was released on 20 March, are not affected by the createTextRange vulnerability, Microsoft said.

To fix the problem, the company said it would provide an update in an upcoming security release. In the meantime, Microsoft advised IE users to avoid visiting untrusted Web sites and to avoid opening email attachments from unknown senders. It also recommending changing the IE settings to disable Active Scripting. Web surfers could also choose to use a browser that's not affected by the vulnerability.

Security company Secure Elements rated the severity of the vulnerability at its highest level, 10, because it can be remotely exploited and an exploit has been released.

"Internet Explorer users can expect a virus or worm in the very near future," Scott Carpenter, director of security labs at Secure Elements, said in a statement. "The most probable vector for this worm will be in the form of spam with malicious links that will tempt users into clicking on a link that takes them to a malicious Web site."

This is the third security flaw Microsoft is investigating this week. The software giant said on Tuesday that it was investigating a security flaw that could let an attacker gain control of a vulnerable Windows computer. The company said on Monday it was looking into a vulnerability that could cause IE to crash.