• silicon.com
• Technology
• Security

By Joris Evers, 25 September 2006 09:10

NEWS

A group of security professionals has created a third-party fix for a recently discovered Internet Explorer flaw that's increasingly being used in cyber attacks.

The group, which calls itself the Zeroday Emergency Response Team, or Zert, created the patch so IE users can protect themselves while Microsoft works on an official fix

A Zert spokesman said on Friday: "Certain members of the group feel that the risk associated with this vulnerability is so great that they can't wait for a patch. Some users might agree with that and apply this patch."

The flaw lies in the way IE 6 handles certain graphics. Malicious software can be loaded, unbeknownst to the user, onto a vulnerable Windows PC when the user clicks on a malicious link on a website or an email message. Word of the vulnerability came last week, when the weakness was already being exploited in cyber attacks.

Ken Dunham, director of the rapid response team at VeriSign's iDefense, said: "Attacks have ramped up significantly in the past 24 hours." In many cases, the attacks install spyware, adware and remote control software on victims' PCs.

In at least one case, cyber criminals broke into a web hosting company and redirected 500 internet domains to point to a malicious site that exploits this latest flaw, Dunham said. "So you're just surfing the web, and all of a sudden, you are redirected to a malicious website," he said.

Attacks that exploit the flaw via email are likely to surface soon, he added.

While Microsoft is aware of the attacks, it said it does not recommend using the third-party fix. A Microsoft representative said in a statement: "As a best practice, customers should obtain security updates and guidance from the original software vendor."

This is the third time this year somebody has beaten Microsoft to the punch with a security fix. In January, an outside patch was created for a vulnerability in the way Windows renders Windows Meta File images, and in March, two security companies issued patches for a bug related to how IE handled certain tags in web pages.

Joris Evers writes for CNET News.com