Hackers take advantage of Microsoft security bug, reports Sophos

March 27, 2006 Sophos Press Release

With no patch available, Microsoft issues safe computing tips
With no patch available, Microsoft issues safe computing tips.

The disclosure of an unpatched bug in Internet Explorer that could allow attackers to take over a PC has prompted Microsoft to caution its users. While Microsoft has been analysing the vulnerability to develop a security patch, compromised sites are being used by hackers to launch attacks using the flaw.

Computers running affected versions of Internet Explorer could be infected after opening an email or visiting a website carrying malicious code. Once infected, the computer could be taken over by a remote attacker, who could steal data or use the infected computer to attack others.

Microsoft is warning users to exercise caution when opening email messages, and web links in email messages, from untrusted sources.

"With no patches yet available to plug this hole, both home users and businesses need to exercise caution here," said Carole Theriault, senior security consultant at Sophos. "Users without any additional security measures, such as firewall and anti-virus software, and users who surf the web and open emails and without care, are at much higher risk that those who practice safe computing."

According to Microsoft Security Response Center blog, Microsoft is "working day and night" on development of a security update for Internet Explorer that addresses this vulnerability. It remains unclear whether Microsoft plans to release the fix in its next scheduled security update, 11 April, or whether it is considering an out-of-cycle fix release.

Sophos currently detects all known malware exploiting this vulnerability.

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.

Sophos continues to recommend companies protect their desktops and servers with automatically updated anti-virus protection.