Plus: a fix for standby and hibernation problems

This article appears in the August 06 issue of PC Advisor, available in all good newsagents now.

It’s happened again. Crackers recently began exploiting a major security bug in IE (Internet Explorer) before Microsoft could issue a patch. These so-called zero-day exploits – where less than a day passes between the revelation of a vulnerability and attacks against it – are becoming more frequent. And that’s bad news for us all.

Security research firm Secunia found this hole, which affects virtually all versions of IE from 5.01 to 6.0 SP2.

Beta previews of IE 7.0 that predate March 20, 2006 (build 5335.5 or later) are vulnerable as well. Although attacks exploiting this breach have been sporadic so far, make sure you get the fix. The flaw opens the door to the dangerous drive-by download attack, where simply visiting a malicious website can pull viruses and spyware on to your computer – no click required. Simply viewing a corrupt banner advert on a page could trigger the attack routine.

Here’s how the bug works. A booby-trapped site or image sends your system a poisoned ‘CreateTextRange’ JavaScript command, which scrambles IE’s idea of what’s supposed to be where, leaving IE and Windows flummoxed. A split second later, the cybervulture’s attack program swoops in to carry out whatever nefarious activities the attacker has devised. No matter what the specifics are, you’ll always be the loser.

A bit of good news is that merely previewing an Outlook email message containing a link to a malicious site won’t trigger the exploit. But the usual warning applies: never click a link in any message that’s even slightly suspicious.

Microsoft will distribute a patch via Windows Update by the time you read this. In the meantime, the company’s suggested – if draconian – workaround is to disable or prompt for all JavaScript. JavaScript is a type of programming found in many different web pages – disabling it means a lot of sites will display incorrectly or may keep you from logging in.

To implement the workaround in IE, click Tools, Internet Options and select the Security tab. Click Internet, Custom Level.

Under Settings, in the Scripting section, scroll down to Active Scripting, click Prompt or Disable and click ok. Two security companies have released their own temporary workaround patches, but analysts recommend using either Microsoft’s workaround or an alternative browser such as Firefox or Opera. Microsoft warns against using third-party patches.

For additional details, see Microsoft’s advisory here. The patch can be found here. Of course, all of these problems will be solved by this time next year when Microsoft releases Windows Vista. Right?