March 24, 2006 5:22 PM PST
Microsoft mulls rushing out IE patch
- Related Stories
Dangerous code on Net could be used to exploit IE holeMarch 23, 2006
Another IE bug hits MicrosoftMarch 21, 2006
New bug can crash Internet ExplorerMarch 20, 2006
Spyware-killing Vista could take out rivalsMarch 17, 2006
Spyware fight attracts a crowdFebruary 10, 2006
Microsoft pushes out Windows patch ahead of timeJanuary 5, 2006
Windows flaw spawns dozens of attacksJanuary 3, 2006
Bots slim down to get toughNovember 16, 2005
Computer code that demonstrates how a hacker can use the flaw to take over a PC was released onto the Net on Thursday. At least two such exploits were made public, and one has now been adapted to attack systems, Monty IJzerman, the manager of security content at McAfee, said on Friday.
"This exploit code is being used in the wild in malware," or malicious software, IJzerman said. "I expect other attacks to be prepared and to be out there over the next few days."
In a security advisory issued Thursday, Microsoft said it will address the vulnerability in a security update, but did not say when that patch would be delivered. Its next "Patch Tuesday" bundle of fixes is scheduled for April 11. On Friday, however, Microsoft indicated that a security patch might be released outside of the regular cycle.
"It is on the table," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "Every time any kind of exploitation is going on, it is on the table."
The flaw is the third to hit Microsoft this week. It has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. A hacker could take advantage of it to gain control over a vulnerable PC by crafting a specially coded Web site, Microsoft said.
McAfee found that a Web site is using the IE vulnerability to sneak malicious code onto vulnerable Windows PCs, IJzerman said. The company has updated its security software to protect against that code, which IJzerman could only describe as something related to spyware.
Security companies Sunbelt Software and Websense have also reported seeing attacks out on the Internet.
Symantec had not yet seen the attack on Friday, but said it expected to see them. "There is a lot of financial incentive to exploit this stuff and foist nasty, unwanted things onto people's desktops without their consent," Dave Cole, a director at Symantec Security Response, said.
Typically, what gets installed on a PC using such flaws is adware, spyware or software that turns a PC into a zombie in a botnet used in other cyberattacks. An unpatched flaw is attractive to attackers, since people will not have received an update from Microsoft to protect their systems.
The last time Microsoft issued a fix early was in January. Microsoft rushed out a fix for a serious vulnerability in the way Windows handled the Windows Meta File image format. That flaw was also being abused to attack Windows users.
Meanwhile, Microsoft has offered a work-around for users to protect themselves. Disabling active scripting in the browser will prevent the attack, according to the Microsoft security advisory.
The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 as well as IE 7 Beta 2 Preview, according to security experts. Microsoft, however, in its advisory lists the IE7 browser as immune.
96 commentsJoin the conversation! Add your comment