Two million computers 'infected' after Internet Explorer security flaw
Published by Jon Land for 24dash.com in Communities
Two million computers 'infected' by Internet Explorer security flaw
More than two million computers worldwide have been infected because of a major security flaw in Microsoft's Internet Explorer web browser, the software giant admitted today.
The problem, first revealed last week, allows criminals to hijack computers and steal passwords if the user visits an infected website.
As many as 10,000 sites have already been compromised to take advantage of the flaw, according to anti-virus software producer Trend Micro.
So far the websites, mostly based in China, have largely been used to obtain computer game passwords which can be sold on the black market.
But there are grave fears that cyber criminals will exploit the "zero day" vulnerability - so-called because it has not been fixed yet - to steal people's bank details.
Rik Ferguson, Trend Micro's senior security adviser in the UK, said the flaw was of "really high value to the cyber-crime community", adding:
"The threat from it is only going to grow.
"Zero days are unusual - and zero days in the world's most popular browser on the world's most popular operating system are really unusual," he said.
John Curran, head of Microsoft's Windows commercial business group in the UK, said the company was "working around the clock" to fix the problem.
"What we have seen in terms of infection is this is 0.2% of Internet Explorer users," he said.
"Obviously when you are talking about a customer base of over one billion people, any amount of vulnerability is too much and any type of infection is going to see a large number of people affected by it."
This equates to more than two million infected machines - although Mr Curran said the flaw was primarily being exploited in China.
Some computer security experts are advising users to switch to another web browser until Microsoft fixes the problem.
The flaw was discovered on December 9, the same day Microsoft released its latest monthly security update, Mr Ferguson said.
The expert said this was a deliberate tactic by criminals to cause maximum confusion among computer users, who could wrongly believe they were protected.
Computers can be infected by visiting a legitimate website that has been compromised with a small piece of code that invisibly redirects the browser to an infected site.
Then a Trojan programme is downloaded to the hard drive, allowing criminals to do everything from stealing passwords to using the machine to send out spam e-mails or even host a child pornography website.
Computer code that exploits the flaw is being sold on internet forums - but it was also released by Chinese researchers who incorrectly thought the problem had already been fixed, Mr Ferguson said.
Microsoft said it had so far only found attacks against version 7 of Windows Internet Explorer, the world's most popular web browser, but warned other versions were "potentially vulnerable".
The company may fix the problem in its regular security update next month or issue an emergency software patch.
Microsoft has already issued new virus definitions so up-to-date anti-virus software will alert users if a computer is infected.
Mr Curran said security was a top priority for the company but noted that fixing software vulnerabilities could be complicated.
"There are always people out there trying to create and identify new exploits. Our job is to try and stay one step ahead of them at all times," he said.
Microsoft is advising Internet Explorer users to take four main
- Ensure anti-virus and anti-malware software is up-to-date;
- Run Internet Explorer in protected mode;
- Set the internet zone security level to "high";
- Ensure all Windows updates have been downloaded.
Mr Ferguson recommended that people who use Internet Explorer should download his company's free Trend Protect plug-in, which protects against the vulnerability.
He said changing to free rival web browser Firefox would "certainly be an option" but urged people who do this to use the NoScript plug-in.