Microsoft has thrown the Internet world into a flurry with a surprise warning about a serious “zero day” vulnerability in its Internet Explorer browser that it hasn’t fixed yet.
(A zero-day attack is a threat that tries to exploit vulnerabilities in software before the vendor releases a patch).
Microsoft rarely departs from its practice of issuing security updates on its “Patch Tuesday” the second Tuesday of each month. On the rare occasions that it does issue security reminders at other times, it’s because it considers the vulnerabilities to be extremely serious
The latest vulnerability affects IE users whose computers run Windows XP or Windows Server 2003 operating software.
It is said to allow hackers to remotely take control of victims’ machines. The victims can get infected simply by visiting a Web site that’s been hacked.
According to Associated Press, criminals have been attacking the vulnerability for nearly a week. Thousands of sites are said to have been hacked to serve up malicious software that exploits the vulnerability. People can be drawn to these sites by clicking a link in spam e-mail.
McAfee research suggests most of the affected Web sites are in China. More than 100 hijacked sites were found to be injected with malicious links that are still actively hosting this trojan, said McAfee.
A Microsoft advisory offers a workaround users can take to safeguard against the vulnerability until a patch is released. It involves making changes to the Windows registry a risky undertaking for those who aren’t sure what they’re doing, according to The Register Web site.
The easier fix is to stop using IE. There are other browsers, including Firefox, Safari, Opera and Chrome.