Monday, December 15, 2008

Microsoft Offers IE Security Workaround, But No Fix

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser. Still, Microsoft does not plan to issue a fix for the exploit until sometime next year.

The attack code originated on Chinese servers and initially only affected IE7, but it emerged that IE5.01, IE6, IE7 and IE8 Beta 2, have also been exploited.



On Monday, Redmond continued to investigate what it called "huge increases" in attacks exploiting the "critical" vulnerability in Internet Explorer. A blog post on Saturday explained that some of the attacks originated from compromised porn sites.

Microsoft is stressing that avoiding questionable Web destinations may not be an adequate defense in itself.

"This class of attack, along with other more classical forms of website intrusion, mean[s] that even trusted sites can end up serving malicious content, causing you[r computer] to get infected. Other researchers confirmed that attacks were increasingly coming from compromised Web sites," the blog said.

Research by other companies confirmed an uptick in incursions using IE as the vector. Antivirus software maker Trend Micro Inc. issued a statement on Monday indicating that as many as 10,000 sites have been compromised by this IE browser flaw over a week's time.

In response, Microsoft added a third addendum to its security advisory over the weekend. The addendum lists possible workarounds and solutions to serve as stopgap measures until a comprehensive IE fix for this exploit becomes available in 2009.

The attacks come as Redmond fights for increased browser market share. A recent survey found that IE8 was the safest, but least popular, Web browser in a beta comparison with Mozilla Firefox and Google Chrome.

Users should turn to other browsers besides IE until this problem can be fixed, according to Wolfgang Kandek, chief technology officer of security firm Qualys. However, Kandek contends that no browser is safe unless patched in real time or patched frequently, a technique known as "fast patching."

"Recent research has shown that Firefox fast patching offers significant advantages over IE, Opera and others," he said. "Opera has added fast patching in their newest release and Google Chrome has had it from the get-go."



‘Zack And Miri Make A Porno’: Boffo, By Kurt Loder
‘Twilight’ Sneak Peek To Premiere At International Rome Film Festival
Zero-Day IE 7 Flaw Discovered
IE8: ‘Safe’ but Scorned in Bug Battle Contest