Security firm Secunia today disclosed a programming error in Microsoft’s Internet Explorer browser that could allow malicious hackers to take over users’ computers and destroy their hard drives or turn them into “zombie” spam mailers.
Microsoft says it is working on a patch that will close the security hole. But until it is ready, security experts are warning Internet Explorer users to use a different browser such as Firefox, or at least change Explorer’s settings to turn off a function called “active scripting.”
The vulnerability, which Secunia has classified as ”highly critical,” affects Internet Explorer 6.0 for Windows XP – the version already used by most owners of Windows PCs – as well as certain beta versions of Internet Explorer 5.5 and 7.0.
Scott Carpenter, security lab director at Secure Elements, a Herndon, VA, security firm that is tracking the vulnerability, puts that into English: “This new bug in Internet Explorer has the potential of being very bad. Someone is going to turn this into a virus, most probably through e-mail. So watch those spam links. If it looks too good to be true, it probably is. Be careful for a while, and if you have another browser such as Firefox you should probably use it.”
The bug is “new” only in the sense that it went undiscovered until recently. Researcher Andreas Sandblad at Secunia discovered the problem on February 10 and notified Microsoft on February 13, according to Secunia’s advisory on the vulnerability. As is standard procedure in the security business, Secunia kept the information secret while Microsoft assessed the vulnerability.
On March 22, however, an exploit for the vulnerability appeared on the Internet. Secunia discovered a message in a public mailing list pointing to a Web page that contained the exploit, which uses the DLL vulnerability to shut down Explorer. That prompted the company to go public with the information.
Engineers at Microsoft confirmed the vulnerability in a posting on the Microsoft Security Response Center blog, and said they would address it in a security update. Microsoft normally issues a collection of patches for Windows and other Microsoft programs on a monthly cycle. The next scheduled update is three weeks away. But the “createTextRange()” bug is so severe, says Carpenter, that ”my prediction is that Microsoft will issue an out-of-cycle patch for this.”
The exploit that emerged on March 22 was a “proof of concept” intended by its anonymous authors only to demonstrate that they had discovered, and learned to take advantage of, the memory corruption vulnerability. The exploit is not malicious – it merely shuts down Internet Explorer and, for good measure, launches the Windows Calculator accessory. But simply possessing knowledge of such a vulnerability in a major browser program can be the ticket to a big payoff, according to Carpenter.
“Money, money, and more money” is the reason for the persistence of a hacker underground that constantly searches for weak spots in Windows programs, Carpenter says. Spammers, for example, “will pay over $10,000 these days for an undisclosed vulnerability,” he says.
For more information:
Embracing CX in the metaverse
More than just meeting customers where they are, the metaverse offers opportunities to transform customer experience.
Identity protection is key to metaverse innovation
As immersive experiences in the metaverse become more sophisticated, so does the threat landscape.
The modern enterprise imaging and data value chain
For both patients and providers, intelligent, interoperable, and open workflow solutions will make all the difference.
Scientists have created synthetic mouse embryos with developed brains
The stem-cell-derived embryos could shed new light on the earliest stages of human pregnancy.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.