Security pros provide interim IE patch

A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that’s increasingly being used in cyber attacks.

The group, which called itself the Zeroday Emergency Response Team, or ZERT, created the patch so IE users can protect themselves while Microsoft works on an official fix.

“Certain members of the group feel that the risk associated with this vulnerability is so great that they can’t wait for a patch. Some users might agree with that and apply this patch,” ZERT spokesman Randy Abrams said on Friday. Abrams is director of technical education at security company ESET and volunteers with ZERT.

The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a Web site or an e-mail message. Word of the vulnerability came early last week, when the weakness already was being exploited in cyber attacks.

Attacks had ramped up significantly late last week, according to Ken Dunham, director of the rapid response team at VeriSign’s iDefense. In many cases, the attacks installed spyware, adware and remote control software on victims’ PCs.

In at least one case, cyber criminals broke into a Web hosting company and redirected 500 Internet domains to point to a malicious site that exploited this latest flaw, Dunham said. “So you’re just surfing the Web, and all of a sudden, you are redirected to a malicious Web site,” he said.

Attacks that exploited the flaw via e-mail likely would surface soon, he added.

Full article: ZDNet Australia