So far 95,000 Internet Explorer users have downloaded an
unofficial patch to fix a critical security flaw in the
browser.
The patch was issued by eEye Digital Security earlier this week
when exploit code for the IE flaw started to appear on the
internet.
Rival intrusion detection firm Determina followed suit and also
issued its own unofficial patch
.
Both patches are not sanctioned by Microsoft, which is still
working on its own official fix. It is not known how many users
have so far downloaded the Determina patch.
The Microsoft patch is expected to be issued by 11 April at the
latest, which is the company’s scheduled security patching date.
But because the threat of the flaw is increasing, the company said
it has not ruled out releasing a fix earlier.
Microsoft does not sanction the use of unofficial patches, as it
says they could potentially affect the way other IE and Windows
components usually work.
The vulnerability is found in the way IE processes
"createTextRange()" JavaScript, and is currently being exploited by
hundreds of malicious websites which are trying to tempt users with
rogue e-mail links.
Internet security company Websense has warned users to be on the
look out for spoof e-mails pertaining to be from the BBC, which
have web links carrying users to malicious sites.
Users think they are being taken to a news story, but once there
they are infected with a Trojan virus and key-logging software.
In addition to the critical flaw that has made it into the wild,
Microsoft is also considering two other security flaws found in its
browser last week.