A serious security flaw has been found in Internet Explorer – no big surprise there. But this one really IS serious – it was found by attackers before it was found by Microsoft. So exploits are already out there “in the wild.” (This BBC News story has more details.)
The worst part of it is that you could be hit by this exploit just by visiting a “normal” site that’s been infected – being vigilant isn’t enough anymore.
“In this case, hackers found the hole before Microsoft did,” said Rick Ferguson, senior security advisor at Trend Micro. “This is never a good thing.”
As many as 10,000 websites have been compromised since the vulnerability was discovered, he said.
“What we’ve seen from the exploit so far is it stealing game passwords, but it’s inevitable that it will be adapted by criminals,” he said. “It’s just a question of modifying the payload the trojan installs.”
Said Mr Ferguson: “If users can find an alternative browser, then that’s good mitigation against the threat.”
The flaw affects even IE7, the latest (released) version of Internet Explorer – so this isn’t just a flaw in older versions of the program.
So if you’ve been dragging your feet over changing to a different browser, now’s a better time than ever to switch! I’d recommend Firefox, but any alternate browser (such as Opera, Apple’s Safari, or Google’s Chrome) would do to keep you safe.
UPDATE (12/18/2008): Microsoft released a fix for this yesterday – it’s available through the normal Windows Update. Just be aware that you’ll have to reboot your computer (which seems silly for a fix to your browser, but that’s an argument for another day).