Risk too great to wait for Redmond, it says...
By Joris Evers
Published: 25 September 2006 09:10 GMT
A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that's increasingly being used in cyber attacks.
The group, which calls itself the Zeroday Emergency Response Team, or Zert, created the patch so IE users can protect themselves while Microsoft works on an official fix
A Zert spokesman said on Friday: "Certain members of the group feel that the risk associated with this vulnerability is so great that they can't wait for a patch. Some users might agree with that and apply this patch."
The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a website or an email message. Word of the vulnerability came last week, when the weakness was already being exploited in cyber attacks.
Ken Dunham, director of the rapid response team at VeriSign's iDefense, said: "Attacks have ramped up significantly in the past 24 hours." In many cases, the attacks install spyware, adware and remote control software on victims' PCs.
In at least one case, cyber criminals broke into a web hosting company and redirected 500 internet domains to point to a malicious site that exploits this latest flaw, Dunham said. "So you're just surfing the web, and all of a sudden, you are redirected to a malicious website," he said.
Attacks that exploit the flaw via email are likely to surface soon, he added.
While Microsoft is aware of the attacks, it said it does not recommend using the third-party fix. A Microsoft representative said in a statement: "As a best practice, customers should obtain security updates and guidance from the original software vendor."
This is the third time this year somebody has beaten Microsoft to the punch with a security fix. In January, an outside patch was created for a vulnerability in the way Windows renders Windows Meta File images, and in March, two security companies issued patches for a bug related to how IE handled certain tags in web pages.
Joris Evers writes for CNET News.com
FIX Support Analyst with strong client facing skills required for a leading boutique financial software organisation. An in-depth knowledge of FIX is ...
This may include experience of hardware break / fix, software break / fix, software installation, password sets and imaging. Helpdesk Analyst / 1st ...
Title: Web Applications Vulnerability Tester / Penetration Tester Salary: market rates but probably 40k to 60k Company: online / ecommerce company ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy