Plus: a fix for standby and hibernation problems
This article appears in the August 06 issue of PC Advisor, available in all good newsagents now.
It’s happened again. Crackers recently began exploiting a major security bug in IE (Internet Explorer) before Microsoft could issue a patch. These so-called zero-day exploits – where less than a day passes between the revelation of a vulnerability and attacks against it – are becoming more frequent. And that’s bad news for us all.
Security research firm Secunia found this hole, which affects virtually all versions of IE from 5.01 to 6.0 SP2.
Beta previews of IE 7.0 that predate March 20, 2006 (build 5335.5 or later) are vulnerable as well. Although attacks exploiting this breach have been sporadic so far, make sure you get the fix. The flaw opens the door to the dangerous drive-by download attack, where simply visiting a malicious website can pull viruses and spyware on to your computer – no click required. Simply viewing a corrupt banner advert on a page could trigger the attack routine.
A bit of good news is that merely previewing an Outlook email message containing a link to a malicious site won’t trigger the exploit. But the usual warning applies: never click a link in any message that’s even slightly suspicious.
To implement the workaround in IE, click Tools, Internet Options and select the Security tab. Click Internet, Custom Level.
Under Settings, in the Scripting section, scroll down to Active Scripting, click Prompt or Disable and click ok. Two security companies have released their own temporary workaround patches, but analysts recommend using either Microsoft’s workaround or an alternative browser such as Firefox or Opera. Microsoft warns against using third-party patches.
For additional details, see Microsoft’s advisory here. The patch can be found here. Of course, all of these problems will be solved by this time next year when Microsoft releases Windows Vista. Right?