'Extremely Critical' IE Exploit in the Wild
- By Scott Bekker
- June 10, 2004
Users running fully patched versions of Internet Explorer are vulnerable to a new exploit in the wild that has been used to load adware onto systems whose owners did nothing more than click on a malicious Web address, according to security researchers.
Secunia, a security firm, labels the problem "extremely critical." The company uses the designation for remotely exploitable vulnerabilities that can lead to system compromise, don't normally require interaction and have exploits in the wild.
Unlike most exploits, the IE flaw appear to be a so-called "zero-day exploit" -- in that the exploit appeared before an official Microsoft patch was issued for the underlying flaw. In most cases, exploits are developed after Microsoft or independent security researchers publicly expose the problem along with a simultaneous patch. In those cases, Windows users and malware authors are in a race -- users to patch their systems and malware authors to create an exploit based on the flaw before most systems are protected.
Microsoft, which released its monthly batch of security patches for June on Tuesday, did not have any warnings or information posted about the problem on its main security pages such as www.microsoft.com/security as of mid-afternoon Thursday. A Microsoft spokesperson said the company is reviewing the issue.
"Microsoft is actively investigating public reports of a malicious attack exploiting vulnerabilities in Internet Explorer and will continue to investigate to determine the appropriate course of action to protect our customers," the spokesperson said. "This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs."
If Microsoft does release a fix before its next Patch Tuesday, which would fall on July 13, it would be only the second time it has issued an out-of-cycle patch since instituting its monthly patching cycle last year.
For customers who want to minimize risks, the spokesperson provided links to two older Microsoft documents that don't specifically reference the problem. One is a page of safe browsing tips at www.microsoft.com/security/incident/settings.asp. The other is for enterprise customers looking to minimize risk by increasing the security of the Local Machine Zone in IE: support.microsoft.com/default.aspx?scid=kb;en-us;833633.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.