Microsoft banner ad attack hole patched

Microsoft published a patch for Internet Explorer on Wednesday, aiming to close a month-old hole that has been used to spread viruses and to compromise PCs via banner-ad attacks.

The vulnerability, dubbed the Internet Explorer Elements flaw by Microsoft, is also known as the Iframe vulnerability, or Bofra exploit. The issue - which Microsoft has said does not affect those who have upgraded to Windows XP Service Pack 2 - could allow an attacker to take control of a victim's PC, if the user is logged on as an administrator. Most home users tend to log onto Windows as administrators.

A Microsoft representative said the software giant had released the update before its next scheduled patch day, 7 December, because it had already been used by malicious software to compromise Windows users' PCs.

Stephen Toulouse, security program manager at Microsoft's security response centre, explained this, by saying: "That's one of the things that we factor in - when the customers are affected or there are active attacks."

An attacker can use the vulnerability to gain control of a person's computer when the victim clicks on a simple web link. The attacker would then have complete control of the system, and could install programs, view, modify or delete data and create new accounts.

The patch arrived more than a month after news of the vulnerability was first posted on public security mailing lists. The move garnered criticism from Microsoft, which has led a drive to convince security researchers to give software makers at least 30 days to fix issues before outing the problem in public forums.

The IE flaw underscores that online criminals are all too willing to use the latest vulnerabilities to take illicit control of users' PCs.

Two computer viruses appeared on the internet in early November, using the vulnerability in Microsoft's browser to infect PCs after their users clicked on a simple web link. The viruses, called Bofra.A and Bofra.B by antivirus companies, were loosely based on the source code of MyDoom.

In addition, online intruders breached the security of at least one server at advertising host Falk last week and used the computer to distribute an attack to the service's clients.

The IE Elements flaw affects PCs with IE version 6 installed, but Microsoft has said that it does not affect computers that have been upgraded to Service Pack 2. XP SP2 has now been downloaded more than 130 million times, Microsoft's Toulouse said.

The latest update for IE 6 can be downloaded from Microsoft's security site, or obtained through Windows Update.