Attackers and security experts are in a race against time, as new, more
dangerous, Internet Explorer exploits are made public. The latest, found
by researchers this morning, reportedly overcomes a fix released
yesterday by Microsoft.
“I will virtually guarantee someone is looking to turn PCs into spam
zombies,” Scott Carpenter, director of security at Secure Elements,
told internetnews.com.
Microsoft yesterday released a security advisory announcing a so-called createTextRange vulnerability could be averted by IE 6 users upgrading to a March 20 IE 7 Beta 2 Preview.
Carpenter now says
yesterday’s proof-of-concept code has evolved into a more refined
exploit capable of overwhelming even the latest test version of
Microsoft’s browser.
“There’s going to be a scramble to turn this into a worm,” Carpenter
said. It’s only going to get worse.
Microsoft has not returned a request for comment.
While acknowledging the problem, Microsoft Thursday said for the
exploit to work, people would have to visit a specially-crafted Web site
or click an e-mail link sending them to a malicious Web site.
“We have seen examples of proof of concept code, but we are not aware
of attacks that try to use the reported vulnerabilities or of customer
impact at this time,” the Microsoft advisory said.
Until Microsoft issues a security update, the software giant
recommends users upgrade IE to the latest IE 7 beta or disable Active
Scripting, which includes JavaScript and ActiveX controls.
Earlier this
month, Microsoft suggested IE 6 users disable ActiveX.
Carpenter said disabling Active Scripting would break many Internet
sites, including online banking and e-commerce sites. Secure Elements is
recommending customers switch to Firefox, Opera or another browser.
As more rich Internet content is made available, security
flaws such as those revealed today are spreading beyond IE to Firefox
and Apple’s Safari Web browser, according to Carpenter.