Exploit code for a new critical flaw in Microsoft’s
Internet Explorer is now circulating on the internet, which allows
remote attackers to take over users’ PCs.
The flaw affects versions 5.5 and 6 of Internet Explorer and
Microsoft has no patch for the vulnerability.
The security hole is related to the way the browser handles
Javascript code, which leaves users vulnerable to their machines
being taken over by remote attackers simply by visiting a malicious
website.
No further user interaction is needed to set off the attack, so
under the terms of Microsoft’s definition of threats the flaw can
be deemed as critical.
The flaw affects both the Windows 2000 and XP operating systems,
including those XP systems running the Service Pack 2 security
bundle.
Both internet security firm Secunia and the SANS security
institute have reported warnings about the threat, which has
existed for around six months.
Until now it was thought the flaw could only be used to
potentially set off a denial-of-service attack on a network, which
is regarded as a less serious threat in the industry.
The fact that the vulnerability can now be used to completely
take over machines means the industry now expects Microsoft to
quickly deal with the problem.
Microsoft said it was looking at the threat and considering
whether to issue an immediate patch or bundle one as part of next
month’s scheduled patching cycle.
The company is already considering whether to issue a patch for
another different Windows flaw which allows attackers to launch a
denial-of-service attack and crash networks.
As for the newly discovered threat, the only current workaround
for users is to either turn off Javascript support in their
browsers or use a different browser.