X

Microsoft mulls rushing out IE patch

Fix for a serious flaw in the Web browser may come early, as reports come in of Web sites using the hole for attacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
3 min read
Microsoft may rush out a security update for Internet Explorer to fix a flaw that is now being exploited to attack Windows systems, security companies say.

Computer code that demonstrates how a hacker can use the flaw to take over a PC was released onto the Net on Thursday. At least two such exploits were made public, and one has now been adapted to attack systems, Monty IJzerman, the manager of security content at McAfee, said on Friday.

"This exploit code is being used in the wild in malware," or malicious software, IJzerman said. "I expect other attacks to be prepared and to be out there over the next few days."

In a security advisory issued Thursday, Microsoft said it will address the vulnerability in a security update, but did not say when that patch would be delivered. Its next "Patch Tuesday" bundle of fixes is scheduled for April 11. On Friday, however, Microsoft indicated that a security patch might be released outside of the regular cycle.

"It is on the table," said Stephen Toulouse, a program manager in Microsoft's Security Response Center. "Every time any kind of exploitation is going on, it is on the table."

The flaw is the third to hit Microsoft this week. It has to do with how Internet Explorer handles the "createTextRange()" tag in Web pages. A hacker could take advantage of it to gain control over a vulnerable PC by crafting a specially coded Web site, Microsoft said.

McAfee found that a Web site is using the IE vulnerability to sneak malicious code onto vulnerable Windows PCs, IJzerman said. The company has updated its security software to protect against that code, which IJzerman could only describe as something related to spyware.

Security companies Sunbelt Software and Websense have also reported seeing attacks out on the Internet.

Symantec had not yet seen the attack on Friday, but said it expected to see them. "There is a lot of financial incentive to exploit this stuff and foist nasty, unwanted things onto people's desktops without their consent," Dave Cole, a director at Symantec Security Response, said.

Typically, what gets installed on a PC using such flaws is adware, spyware or software that turns a PC into a zombie in a botnet used in other cyberattacks. An unpatched flaw is attractive to attackers, since people will not have received an update from Microsoft to protect their systems.

The last time Microsoft issued a fix early was in January. Microsoft rushed out a fix for a serious vulnerability in the way Windows handled the Windows Meta File image format. That flaw was also being abused to attack Windows users.

Meanwhile, Microsoft has offered a work-around for users to protect themselves. Disabling active scripting in the browser will prevent the attack, according to the Microsoft security advisory.

The flaw affects fully patched versions of IE 6 and Microsoft Windows XP with Service Pack 2 as well as IE 7 Beta 2 Preview, according to security experts. Microsoft, however, in its advisory lists the IE7 browser as immune.