Internet Explorer Hack: Most Versions Vulnerable

Microsoft has admitted hackers are carrying out targeted attacks to exploit a newly-discovered bug in its popular Internet Explorer web browser. The company is working on a fix, but suggests users consider technical workarounds in the meantime.

The bug affects all versions of Internet Explorer from version 6 (which shipped with Vista) to version 9 (the current edition). It won't affect Internet Explorer 10, which will first become available with Windows 8 in late October, 2012.

Eric Romang, a security researcher, discovered the bug while examining a web server used by hackers. Romang found the hackers were connecting to machines running Internet Explorer, and he quickly identified the techniques they were using.

Internet Explorer Vulnerable To Drive-Bys

The newly discovered bug allows for so-called "drive-by" attacks, in which a hacker takes control of a user's computer through a rogue website where victims download or open a malicious file.

Microsoft responded to the security revelations within a few hours of researchers publishing a guide explaining how hackers could exploit the bug.

The software giant says it is working on a fix for the bug, but hasn't announced whether it will be released as soon as it is ready or saved for the next scheduled "Patch Tuesday" security update.

Security Advisory Brings Temporary Solutions

In the meantime, Microsoft has made three specific suggestions regarding how to avoid being victimized by hackers using this particular bug. Two involve clicking on Internet Options in the browser's Tools menu and then selecting the Security tab. (Source: microsoft.com)

The first suggestion is to set the Security level for both Internet and Local Intranet to 'High'. The second suggestion is to set a custom Security level and then switch the Active Scripting setting to Prompt or Disable.

The drawback to both of these strategies is that they could affect the usability of safe, legitimate websites.

Microsoft's third suggestion is to follow the instructions in the advisory to activate a built-in Windows tool named Enhanced Migration Experience Toolkit. This is slightly more complex to set up, but should provide protection against the bug without affecting usability of safe websites.

At least one security firm chief says these workarounds are too complicated for most computers. He suggests it would be better for users simply to switch to a different browser, at least until Microsoft issues a more permanent fix. (Source: computerworld.com)

The bug should remind users to take care when visiting websites and to be wary about following links from unknown sources.