Critical Internet Explorer Flaw Patched

by Third Party Jay Wrolstad,
newsfactor.com
Tue Mar 28, 2:20 PM ET
source: http://news.yahoo.com/s/nf/20060328/...N5bnN1YmNhdA--



While Microsoft works on a patch for a critical Internet Explorer 6 script vulnerability that can allow a hacker to take control of a Windows PC, another firm has beaten Microsoft to the punch, releasing its own fix for the problem.

The new patch from eEye Digital Security is not meant to replace the forthcoming Microsoft patch, but it does provide immediate protection in lieu of an available fix. It is designed to remove itself automatically when Microsoft's official patch becomes available.

Microsoft's official update might not be released until next month, according to a blog posting on the company's security site.

The notice states that the company has seen only limited numbers of attacks targeting the newly found flaw and that an Internet Explorer 6 update will be released as soon as it is ready. Currently, Microsoft's plan is to prepare the fix in time for its next set of monthly patches, due to be released in early April.

Seeking Feedback

Meanwhile, the software giant has introduced an Internet Explorer feedback database in an effort to collect information on potential bugs found in the beta version of Internet Explorer 7.

The company noted on the Internet Explorer site that customers have requested a better way to alert Microsoft to bugs. For now, visitors to the feedback database will need a Microsoft Passport to view or report browser problems, although Microsoft plans eventually to allow anonymous access to the site.

The feedback site is for Internet Explorer 7 and future versions the browser. Once IE7 has shipped, the site will be used to gather feedback so Microsoft can improve future iterations.

Bugs can be marked either as public or private. A public bug can be viewed by anyone who goes to the feedback database, enabling those who discover the same issues to evaluate them and know that they are entered.

Forrester analyst Paul Stamp suggested that, given the ongoing problems associated with Internet Explorer, both security-related issues and those involving basic navigation, Microsoft needs a forum for input from users.

"Browsers are so complex now that there are more bases to cover," he said. "And because Microsoft went years before taking a proactive approach to Explorer bugs, there will be more flaws cropping up."

Exploits Reported

As for the current vulnerability, security experts have noted that, while the flaw is serious, those wishing to exploit it would have to entice users to click a link that takes them to a specially crafted Web site. In addition, for a PC to be affected, it must be running in administrator mode.

The vulnerability is exploitable via Web surfing, e-mail, and instant messaging, and several versions of the exploit are already in the wild and are being used actively by hackers, eEye reported.

Those whose accounts are configured to have fewer user rights are less vulnerable than users who operate their PCs with full admin rights turned on. Currently, there have been numerous reports of this vulnerability being used in attempts to install spyware and remote-control "bot" software for use in distributed denial-of-service (DDoS) attacks.

The recommended action required to protect systems against this exploit is to disable Active Scripting from within Internet Explorer.

This can be done by opening the Internet Options settings listed in Internet Explorer's Tools menu, clicking on the Security tab, selecting the Internet zone, and clicking on the Custom Level option. The active-scripting setting is available toward the end of the list.

__________________