Web Site Attacks Against Unpatched IE Flaw Spike

An anonymous reader wrote to mention a Washingtonpost.com article about an increase in attacks against IE users via a critical, unpatched flaw. The bug allows software to be downloaded to the vulnerable PC even if the only act the user takes is browsing to a web site. From the article: "[A] password-stealing program landed on the Windows PC belonging to Reaz Chowdhury, a programmer for Oracle Corp. who works out of his home in Orlando, Fla. Chowdhury said he's not sure which site he browsed in the past 24 hours that hijacked his browser, but he confirmed that the attackers had logged the user name and password for his company's virtual private network (VPN)."

Keep an eye on this one..

[Dynamoo]

If you're an admin of machines running IE then it will be worth keeping an eye on this one. The best place is the Internet Storm Center which usually updates several times a day and links to other sites of interest. (Be sure to check the diary archive).

This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.