Microsoft To Patch Giant IE Bug
Microsoft posted an advanced notification for the patch on its Web site Tuesday.
The company initially warned users about the flaw last week in a security advisory following its monthly Patch Tuesday security bulletin release Dec. 9, which it updated in another advisory Monday.
Since then, hackers have released exploit code, which is estimated to have spread to millions of computers around the globe, experts say.
"It's a remote exploit that gives the attacker compete control," said Michael Argast, security analyst for Sophos. "It's the most critical type of flaws that can exist. It's one of those drop-dead scenario's where you've got to fix it."
Microsoft said that it is aware of active attacks exploiting the vulnerability, but noted in its warning that it's only aware of attacks against Windows Internet Explorer 7.
The IE security problem stems from a fundamental flaw in the browser's data binding function -- a vulnerability that ultimately leaves a hole in the memory space which can be accessed by remote hackers. Internet Explorer can then quit unexpectedly in an exploitable state.
Experts say that this bug is particularly malicious due to the fact that it requires almost no user intervention. Instead of clicking on an infected link or downloading software, users only have to visit a Web site already laden with malware in order for the exploit to be successful. Once a user's computer is exploited, malicious code could then be used to steal financial information, passwords, and other credentials, or be incorporated into a network of controlled computers designed to distribute spam and malware, known as a botnet.
Until a patch is released, Microsoft has suggested some workarounds, posted on its Web site, which the company said will provide protection for IE users against attack. "Our investigation of these attacks so far has verified that they are not successful against customers who have applied the workarounds listed in this advisory," Microsoft said.
Microsoft said that the company would continue to investigate the problem, while continuing to work with partners to "monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability," the advisory said.
While the scheduled patch will likely protect IE users, security experts maintain that attacks will likely get worse as malware authors plan to issue malicious code around Microsoft's patch cycle in order to get the maximum amount of "attack time."
Meanwhile, until Microsoft releases a patch fixing the error, experts strongly encourage users to apply proactive protective security measures, such as keeping antivirus and antimalware software current. Numerous antivirus products incorporate behavioral protection, which are often easier to keep up to date than deploying a companywide patch, Argast said.
Customers can also implement the workarounds. However, Argast said that the process would be time consuming and complicated for most users.
"Realistically, most users aren't going to go through that. It's quite convoluted," he said. "Your best bet for the next couple of days would be to run Firefox."