Flaw In Internet Explorer Not Fixed Yet
SAN FRANCISCO, Dec. 15, 2008

(AP) Users of all current versions of Microsoft Corp.'s Internet Explorer
browser might be vulnerable to having their computers hijacked because of a
serious security hole in the software that had yet to be fixed Monday.

The flaw lets criminals commandeer victims' machines merely by tricking them
into visiting Web sites tainted with malicious programming code. As many as
10,000 sites have been compromised since last week to exploit the browser
flaw, according to antivirus software maker Trend Micro Inc.

The sites are mostly Chinese and have been serving up programs that steal
passwords for computer games, which can be sold for money on the black
market. However, the hole is such that it could be "adopted by more
financially motivated criminals for more serious mayhem - that's a big fear
right now," Paul Ferguson, a Trend Micro security researcher, said Monday.

"Zero-day" vulnerabilities like this are security holes that haven't been
repaired by the software makers. They're a gold mine for criminals because
users have few ways to fight off attacks.

The latest vulnerability is noteworthy because Internet Explorer is the
default browser for most of the world's computers. Also, while Microsoft
says it has detected attacks only against version 7 of Internet Explorer,
which is the most widely used edition, the company warned that other
versions are also potentially vulnerable.

Microsoft said it is investigating the flaw and is considering fixing it
through an emergency software patch outside of its normal monthly updates,
but declined further comment. The company is telling users to employ a
series of complicated workarounds to minimize the threat.

Many security experts, meanwhile, are urging Internet Explorer users to use
another browser until a patch is released.

MMVIII The Associated Press.