News

Microsoft Offers IE Security Workaround, But No Fix

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser.

A zero-day flaw in Internet Explorer 7 reported last week has sparked increased hacker activity, and now the attacks involve most versions of Microsoft's Internet browser. Still, Microsoft does not plan to issue a fix for the exploit until sometime next year.

The attack code originated on Chinese servers and initially only affected IE7, but it emerged that IE5.01, IE6, IE7 and IE8 Beta 2, have also been exploited.

On Monday, Redmond continued to investigate what it called "huge increases" in attacks exploiting the "critical" vulnerability in Internet Explorer. A blog post on Saturday explained that some of the attacks originated from compromised porn sites.

Microsoft is stressing that avoiding questionable Web destinations may not be an adequate defense in itself.

"This class of attack, along with other more classical forms of website intrusion, mean[s] that even trusted sites can end up serving malicious content, causing you[r computer] to get infected. Other researchers confirmed that attacks were increasingly coming from compromised Web sites," the blog said.

Research by other companies confirmed an uptick in incursions using IE as the vector. Antivirus software maker Trend Micro Inc. issued a statement on Monday indicating that as many as 10,000 sites have been compromised by this IE browser flaw over a week's time.

In response, Microsoft added a third addendum to its security advisory over the weekend. The addendum lists possible workarounds and solutions to serve as stopgap measures until a comprehensive IE fix for this exploit becomes available in 2009.

The attacks come as Redmond fights for increased browser market share. A recent survey found that IE8 was the safest, but least popular, Web browser in a beta comparison with Mozilla Firefox and Google Chrome.

Users should turn to other browsers besides IE until this problem can be fixed, according to Wolfgang Kandek, chief technology officer of security firm Qualys. However, Kandek contends that no browser is safe unless patched in real time or patched frequently, a technique known as "fast patching."

"Recent research has shown that Firefox fast patching offers significant advantages over IE, Opera and others," he said. "Opera has added fast patching in their newest release and Google Chrome has had it from the get-go."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Creating Business Applications Using Blazor

    Expert Blazor programmer Michael Washington' will present an upcoming developer education session on building high-performance business applications using Blazor, focusing on core concepts, integration with .NET, and best practices for development.

  • GitHub Celebrates Microsoft's 50th by 'Vibe Coding with Copilot'

    GitHub chose Microsoft's 50th anniversary to highlight a bevy of Copilot enhancements that further the practice of "vibe coding," where AI does all the drudgery according to human supervision.

  • AI Coding Assistants Encroach on Copilot's Special GitHub Relationship

    Microsoft had a great thing going when it had GitHub Copilot all to itself in Visual Studio and Visual Studio Code thanks to its ownership of GitHub, but that's eroding.

  • VS Code v1.99 Is All About Copilot Chat AI, Including Agent Mode

    Agent Mode provides an autonomous editing experience where Copilot plans and executes tasks to fulfill requests. It determines relevant files, applies code changes, suggests terminal commands, and iterates to resolve issues, all while keeping users in control to review and confirm actions.

  • Windows Community Toolkit v8.2 Adds Native AOT Support

    Microsoft shipped Windows Community Toolkit v8.2, an incremental update to the open-source collection of helper functions and other resources designed to simplify the development of Windows applications. The main new feature is support for native ahead-of-time (AOT) compilation.

Subscribe on YouTube