Hackers take advantage of Microsoft security bug, reports Sophos

Sophos Press Release
With no patch available, Microsoft issues safe computing tips
With no patch available, Microsoft issues safe computing tips.

The disclosure of an unpatched bug in Internet Explorer that could allow attackers to take over a PC has prompted Microsoft to caution its users. While Microsoft has been analysing the vulnerability to develop a security patch, compromised sites are being used by hackers to launch attacks using the flaw.

Computers running affected versions of Internet Explorer could be infected after opening an email or visiting a website carrying malicious code. Once infected, the computer could be taken over by a remote attacker, who could steal data or use the infected computer to attack others.

Microsoft is warning users to exercise caution when opening email messages, and web links in email messages, from untrusted sources.

"With no patches yet available to plug this hole, both home users and businesses need to exercise caution here," said Carole Theriault, senior security consultant at Sophos. "Users without any additional security measures, such as firewall and anti-virus software, and users who surf the web and open emails and without care, are at much higher risk that those who practice safe computing."

According to Microsoft Security Response Center blog, Microsoft is "working day and night" on development of a security update for Internet Explorer that addresses this vulnerability. It remains unclear whether Microsoft plans to release the fix in its next scheduled security update, 11 April, or whether it is considering an out-of-cycle fix release.

Sophos currently detects all known malware exploiting this vulnerability.

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.

Sophos continues to recommend companies protect their desktops and servers with automatically updated anti-virus protection.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.