New IE Exploits Create Security Scramble Emerging IE Exploits Make Security a Race Against Time Ed Sutherland
Attackers and security experts are in a race against time, as new, more dangerous, Internet Explorer exploits are made public. The latest, found by researchers this morning, reportedly overcomes a fix released yesterday by Microsoft.
"I will virtually guarantee someone is looking to turn PCs into spam zombies," Scott Carpenter, director of security at Secure Elements,
told internetnews.com.
Microsoft yesterday released a security advisory announcing a so-called createTextRange vulnerability could be averted by IE 6 users upgrading to a March 20 IE 7 Beta 2 Preview.
Carpenter now says yesterday's proof-of-concept code has evolved into a more refined exploit capable of overwhelming even the latest test version of Microsoft's browser.
"There's going to be a scramble to turn this into a worm," Carpenter said. It's only going to get worse.
Microsoft has not returned a request for comment.
While acknowledging the problem, Microsoft Thursday said for the exploit to work, people would have to visit a specially-crafted Web site or click an e-mail link sending them to a malicious Web site.
"We have seen examples of proof of concept code, but we are not aware of attacks that try to use the reported vulnerabilities or of customer impact at this time," the Microsoft advisory said.
Until Microsoft issues a security update, the software giant recommends users upgrade IE to the latest IE 7 beta or disable Active Scripting, which includes JavaScript and ActiveX controls.
Earlier this month, Microsoft suggested IE 6 users disable ActiveX.
Carpenter said disabling Active Scripting would break many Internet sites, including online banking and e-commerce sites. Secure Elements is recommending customers switch to Firefox, Opera or another browser.
As more rich Internet content is made available, security flaws such as those revealed today are spreading beyond IE to Firefox and Apple's Safari Web browser, according to Carpenter.
