March 23, 2006 5:43 PM PST

Dangerous code on Net could be used to exploit IE hole

Code that takes advantage of a security hole in Internet Explorer has been published on the Web and could be used by someone to unleash an e-mail virus that could put people's computers and data at risk, Microsoft and security experts said Thursday.

As with many such attacks, malicious code could sneak onto an unwitting victim's computer after the user is enticed to open an e-mail attachment containing the code or lured to visit a Web site with the code hidden in it. Once the computer is infected, an attacker could take control of the machine remotely, steal data and use the computer to attack others.

"We have seen examples of proof-of-concept code, but we are not aware of attacks that try to use the reported vulnerabilities, or of customer impact, at this time," Microsoft said in a security advisory posted on its Web site.

People using so-called fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 are affected. Customers who use IE 7 Beta 2 Preview, which was released March 20, are not affected by the "createTextRange" vulnerability, Microsoft said.

To fix the problem, the company said it would provide an update in an upcoming security release. In the meantime, Microsoft advised IE users to avoid visiting untrusted Web sites and to avoid opening e-mail attachments from unknown senders. It also recommending changing the IE settings to disable Active Scripting. Web surfers could also choose to use a browser that's not affected by the vulnerability.

Security company Secure Elements rated the severity of the vulnerability at its highest level, 10, because it can be remotely exploited and an exploit has been released.

"Internet Explorer users can expect a virus or worm in the very near future," Scott Carpenter, director of security labs at Secure Elements, said in a statement. "The most probable vector for this worm will be in the form of spam with malicious links that will tempt users into clicking on a link that takes them to a malicious Web site."

This is the third security flaw Microsoft is investigating this week. The software giant said Tuesday that it was investigating a security flaw that could let an attacker gain control of a vulnerable Windows computer. The company said Monday it was looking into a vulnerability that could cause IE to crash.

See more CNET content tagged:
e-mail virus, vulnerability, code, Microsoft Internet Explorer, attack

22 comments

Join the conversation!
Add your comment
Phishing
Since this email requires clicking on a link, would MS's new IE7 anti-phishing feature protect users from this threat?
Posted by TheBluePointe (6 comments )
Reply Link Flag
IE7? Protect?
Sorry dude, nothing from Microsoft is designed to protect you from anything. Security is an after-thought in MS product development, something they deal with after releasing a product.
Posted by booboo1243 (328 comments )
Link Flag
Phishing
Since this email requires clicking on a link, would MS's new IE7 anti-phishing feature protect users from this threat?
Posted by TheBluePointe (6 comments )
Reply Link Flag
IE7? Protect?
Sorry dude, nothing from Microsoft is designed to protect you from anything. Security is an after-thought in MS product development, something they deal with after releasing a product.
Posted by booboo1243 (328 comments )
Link Flag
IE7 Protection?
Since this threat requires clicking on a link, would MS's new IE7 with anti-phishing features help protect users?
Posted by TheBluePointe (6 comments )
Reply Link Flag
IE7 Protection?
Since this threat requires clicking on a link, would MS's new IE7 with anti-phishing features help protect users?
Posted by TheBluePointe (6 comments )
Reply Link Flag
The ULTIMATE protection...
Use a Mac!! Yeah, I know, there were those false stories a
couple of weeks ago about a supposed Mac virus/security
threat. Well, pay no attention to the man behind the curtain.

How can anyone take M$ seriously when these security flaws
show up EVERY week?? Well, I guess if you only update your OS
every 5+ years, you have to expect that such OLD technology is
just Swiss cheese.

Problem is though, do you expect any more protection of the
customer in Vista? Answer honestly now.......
Posted by (57 comments )
Reply Link Flag
Use mac, and watch 50% of your progs not work anymore.. smart
yea... ya know.. use a Mac and have just about half of your programs not working anymore. Its not an easy jump. If your going to make a jump like that, might as well jump to *nix instead.. most people are not ready for that.
Posted by aSiriusTHoTH (176 comments )
Link Flag
Maybe
Maybe Vista might be more secure because it no longer has the flaw that other MS OS' had - Internet Explorer will be no longer tied in.

False stories? No. Blown out of proportion? Yes.
Though it may be much more secure, Mac's are getting much more attention from 'hackers' now.

Until Mac's can run the same high-profile programs that Windows does, then it really is a big leap to switch.
Posted by Tomcat Adam (272 comments )
Link Flag
The ULTIMATE protection...
Use a Mac!! Yeah, I know, there were those false stories a
couple of weeks ago about a supposed Mac virus/security
threat. Well, pay no attention to the man behind the curtain.

How can anyone take M$ seriously when these security flaws
show up EVERY week?? Well, I guess if you only update your OS
every 5+ years, you have to expect that such OLD technology is
just Swiss cheese.

Problem is though, do you expect any more protection of the
customer in Vista? Answer honestly now.......
Posted by (57 comments )
Reply Link Flag
Use mac, and watch 50% of your progs not work anymore.. smart
yea... ya know.. use a Mac and have just about half of your programs not working anymore. Its not an easy jump. If your going to make a jump like that, might as well jump to *nix instead.. most people are not ready for that.
Posted by aSiriusTHoTH (176 comments )
Link Flag
Maybe
Maybe Vista might be more secure because it no longer has the flaw that other MS OS' had - Internet Explorer will be no longer tied in.

False stories? No. Blown out of proportion? Yes.
Though it may be much more secure, Mac's are getting much more attention from 'hackers' now.

Until Mac's can run the same high-profile programs that Windows does, then it really is a big leap to switch.
Posted by Tomcat Adam (272 comments )
Link Flag
Copy/paste news, re: MS security
I think I've seen this story before...1,000's of times?
Posted by booboo1243 (328 comments )
Reply Link Flag
Not near as often as we've seen your lame replies
You have nothing to contribute so go away and stay away.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Copy/paste news, re: MS security
I think I've seen this story before...1,000's of times?
Posted by booboo1243 (328 comments )
Reply Link Flag
Not near as often as we've seen your lame replies
You have nothing to contribute so go away and stay away.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
My machine got hit
I had to format my machine as this exploit was used to install a password-stealing trojan on my machine. I used a new hard drive and examined the old, and found exactly how and where I got attacked. I got hit by an ad served by "popunder.paypopup.com" while visiting "gallery.hilary-duff.net". And I have all the evidence to back it up. If popup ad providers are serving this stuff up, it's liable to infect people anywhere they go on the net. Time to not use IE for a little while...
Posted by reswobslc (2 comments )
Reply Link Flag
My machine got hit
I had to format my machine as this exploit was used to install a password-stealing trojan on my machine. I used a new hard drive and examined the old, and found exactly how and where I got attacked. I got hit by an ad served by "popunder.paypopup.com" while visiting "gallery.hilary-duff.net". And I have all the evidence to back it up. If popup ad providers are serving this stuff up, it's liable to infect people anywhere they go on the net. Time to not use IE for a little while...
Posted by reswobslc (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.