It seems a new, fairly serious flaw has been discovered in Internet Explorer 7 – and as accounts go it’s been around for a couple of months in the underground.
The worrying part is, patch Tuesday was yesterday and after testing it’s been discovered that this flaw WAS NOT patched in the updates.
ISC reports that it’s not currently widely used, but it has been found in the wild.
Microsoft said it is investigating reports that a new exploit is going around that takes advantage of an unpatched security hole in Internet Explorer 7.
The SANS Internet Storm Center, which tracks hacking trends, said today that while the exploit does not appear to be widely in use at the moment, that situation is likely to change soon, since instructions showing criminals how to take advantage of this flaw have been posted online.
SANS emphasizes that this vulnerability is not one that was fixed in the massive bundle of patches that Microsoft issued yesterday. It is not clear what steps users can take to protect themselves against this threat, other than to browse the Web with something other than IE, such as Mozilla Firefox or Opera. This appears to be the type of vulnerability that could be used to give attackers complete control over an affected system merely by convincing users to browse to a specially-crafted hacked or malicious Web site.
It seems the safest thing is not to use IE, which I personally have been doing since about 1998 anyway. But still, some people claim they have problems with Java or JavaScript or AJAX enabled sites with Firefox.
There’s always Opera, or even the new Google Chrome.
This exploit is a serious one as someone only needs to visit the site and remote code can be injected into their OS and executed.
According to SANS, the exploit works against fully-patched Windows XP and Windows 2003 systems with Internet Explorer 7.
In a statement e-mailed to Security Fix, Microsoft said once it is done with its investigation, the company “will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update or additional guidance to help customers protect themselves.”
Once again it’s demonstrated how stupid ‘Patch Tuesday’ is and how half of the people on the Internet are going to be vulnerable to this serious flaw until the first Tuesday in January.
I really hope Microsoft pushes out an emergency patch outside their schedule ASAP.
You can find a list of the sites known to be distributing the code on Shadowserver here.
Source: Security Fix
hmm, but safari had a bug like this too not so long ago.
this just goes to show that everyone should use firefox+linux… just because MS tells you to do something doesn’t mean you have to do it…