Microsoft riled by adware scam

An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week.

One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a website that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes.

The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft.

"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."

Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update.

The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups - mainly pornographic ads, according to an adware advisory on antivirus company Symantec's website.

On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."

The flaws could let any attacker with a website send an email message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer.

Robert Lemos writes for News.com