Serious security flaw found in IE!!!!

[Nodz86]

Serious security flaw found in IE

 

Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

 

The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer users.

 

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer," said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified.

 

Browser bait

"In this case, hackers found the hole before Microsoft did," said Rick Ferguson, senior security advisor at Trend Micro. "This is never a good thing."

As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.

"What we've seen from the exploit so far is it stealing game passwords, but it's inevitable that it will be adapted by criminals," he said. "It's just a question of modifying the payload the trojan installs."

Said Mr Ferguson: "If users can find an alternative browser, then that's good mitigation against the threat."

But Microsoft counselled against taking such action.

"I cannot recommend people switch due to this one flaw," said John Curran, head of Microsoft UK's Windows group.

He added: "We're trying to get this resolved as soon as possible.

"At present, this exploit only seems to affect 0.02% of internet sites," said Mr Curran. "In terms of vulnerability, it only seems to be affecting IE7 users at the moment, but could well encompass other versions in time."

Richard Cox, chief information officer of anti-spam body The Spamhaus Project and an expert on privacy and cyber security, echoed Trend Micro's warning.

"It won't be long before someone reverse engineers this exploit for more fraudulent purposes. Trend Mico's advice [of switching to an alternative web browser] is very sensible," he said.

 

PC Pro magazine's security editor, Darien Graham-Smith, said that there was a virtual arms race going on, with hackers always on the look out for new vulnerabilities.

"The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn't enough."

"It's a shame Microsoft have not been able to fix this more quickly, but letting people know about this flaw was the right thing to do. If you keep flaws like this quiet, people are put at risk without knowing it." "Every browser is susceptible to vulnerabilities from time to time. It's fine to say 'don't use Internet Explorer' for now, but other browsers may well find themselves in a similar situation," he added.

 

From Radio 1 Newsbeat

[Shy Guy]

Thank god I switched to Firefox last April i think when IE was unbearable >_>

[Iced_Bullet]

this exploit only seems to affect 0.02% of internet sites,"

What do they mean only! 0.02% is a hell of a lot! *taps good old firefox*

[Nodz86]

Theres a Q & A on there aswell and the bloke from MS says one of the others rivals has multiple flaws but will not say which one so thats why he doesn't recomend you switch and tells you to reconfig about 10 options on your system/IE settings. I'll go and find the link

 

Edit:

Latest entry

Is it safe to Explore?Rory Cellan-Jones

16 Dec 08, 13:38 GMT

If the average computer user read the Microsoft security advisory about the Internet Explorer vulnerability - and you'd struggle to find it if you weren't looking - you might be none the wiser about how serious this was, or what action you should take.

 

A long way down comes this line: "An attacker who successfully exploited this vulnerability could gain the same user rights as the local user." As far as I understand it, that means there is a real danger that Internet Explorer 7 users (and possibly users of other versions of IE) could be opening the door to cyber criminals to allow them to ransack the contents of your hard drive. In other words, it is a pretty serious situation.

 

So when I spoke to John Curran, head of Windows at Microsoft UK, I had three questions.

 

1. How serious is this?

 

Mr Curran told me that only a tiny proportion of websites were infected, but given the sheer scale of today's web, that could affect a large number of people.

So, he said, "it is certainly something people should take seriously."

 

2. So what should IE users do?

 

Microsoft is working on a patch but in the meantime Mr Curran said there were four steps to take.

- make sure anti-virus software is up to date.

- run Internet Explorer 7 or 8 in "protected mode".

- set Internet Explorer zone security setting to "High"

- Windows users should enable Automatic Updates so that they get any patch that is issued.

 

But of course doing all of that is not only time-consuming, it will make your web browsing experience slower and less rewarding. Which brings us to the final question.

 

3. Shouldn't you switch to another browser until the patch come out?

 

This has been the advice of a number of security firms - who of course are also touting their latest anti-virus products - but you won't be surprised to hear that Mr Curran disagrees. He told me he had recently seen a report which listed another browser as having the highest number of vulnerabilities. "it would not be advisable," he said,"to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities."

 

But given the choice between messing around with Internet Explorer and so enduring a second-rate browsing experience until the hole is fixed, or running Firefox, Safari or Opera, aren't quite a few people likely to switch? This could be the moment when the minnows in the browser wars finally score a significant victory.

 

 

Source

[DriftNismo]

I don't mind, been on Firefox since it came out :D. But it does sound quite serious, I hope it gets sorted soon.

[Who]

oh noez... virus attack... wait, what's a virus again? *pats mac*

 

presumably this is a risk to vista users aswell then if MS is making a fuss?

[Nodz86]

yeah mainly vista and mainly versions 7 and 8 might effect other versions

[Nodz86]

I've just had the Update for IE download on my PC with the windows update thing, but now it wants to reboot

[KoenigseggBG]

Here`s another reason to use Firefox. ;)

[kalniel]

3 critical security flaws for Firefox have been found at the same time:

http://www.mozilla.org/security/announce/2008/mfsa2008-69.html

http://www.mozilla.org/security/announce/2008/mfsa2008-68.html

http://www.mozilla.org/security/announce/2008/mfsa2008-60.html

 

So just as MS have already patched the flaw in IE, firefox users need to patch ASAP as well.

 

And mac owners.. don't be smug either - Apple just released a bunch of security and bug fixes as well:

http://support.apple.com/downloads/Mac_OS_X_10_5_6_Combo_Update