Microsoft admitted today that a serious flaw in security has left the majority
of the world’s internet users exposed to attacks from hackers hoping to
steal personal data and passwords.
A loophole in Internet Explorer (IE), the default web browser on most
computers, allows criminals to commandeer victims’ PCs by tricking them into
visiting unsafe websites.
It is thought that two million computers have already been affected as
Microsoft conceded that 1 in 500 internet users may have been exposed.
Computer users are advised by some security experts to switch to an
alternative internet browser, such as Firefox or Google Chrome, to avoid the
hackers who have so far corrupted an estimated 10,000 websites.
Microsoft said that it is considering the release of an emergency update to
correct the flaw. The computing company claims that it has only detected
attacks on Internet Explorer 7, the most common version of the browser, but
gave warning that other versions are also potentially vulnerable.
The hack was initially devised by Chinese criminals, who have been stealing
computer game passwords that can be sold on the black market.
However, Paul Ferguson, a security researcher for Trend Micro Inc, an
anti-spyware provider, said that the security breach is so severe that it
could be “adopted by more financially motivated criminals for more serious
mayhem — that’s a big fear right now”.
Since the security flaw was reported on December 9, Microsoft said that there
has been an exponential increase in attacks attempting to make use of the
vulnerability. These opportunistic hackers who exploit known security
breaches are called “zero-day” attackers.
These threats occur as hackers race against software makers to attack the
affected programmes, such as IE, before the known problems are repaired.
“Zero days are unusual — and zero days in the world’s most popular
browser on the world’s most popular operating system are really unusual,”
said a Trend Micro spokesman. “The threat from it is only going to grow."
John Curran, a spokesman for Microsoft, said: “Right now it’s affecting about
0.2 per cent of users who may have come in touch with the vulnerability.
“It has the potential to move world wide rather quickly so it’s a significant
issue and that’s why Microsoft is working diligently to get it resolved as
quickly as possible.
“We are recommending four steps [see below] which would protect you from the
vulnerabilities we know today but there could be variations to the
vulnerabilities.
“Obviously the chance for this to be exploited is there.”
The company is telling users to employ a series of complicated workarounds to
minimise the threat. It has been suggested that increasing the internet
security zone level to high and disabling Ole32db.dll in the access control
list could help protect a computer.
Some security experts, though, have advised IE users switch to another browser
until an update is released. The next scheduled patch is not due until
January 13 but it is not unusual for Microsoft to release an emergency
patch.
Microsoft have struggled to build an appropriate patch thus far because the
affected component is at the very core of the IE programme and any changes
to the central code could cause a number of unexpected side-effects.
Microsoft’s advice for Internet Explorer users
1. Keep your anti-virus up-to-date. Microsoft has circulated the definitions
of these vulnerabilities to all the major anti-virus providers.
2. Reset Internet Explorer to run in protected mode. This is the default mode
in Windows Vista but not XP or the earlier versions.
3. Set zone security to high.
4. Ensure Windows is updated. You can do this manually through Windows updater
or set it to automatic updates.
More complex and comprehensive approaches are listed on
the Microsoft website .
