As a result of the Internet worms — which are viruses that spread through a network — hundreds of thousands of PCs worldwide, at the minimum, have been infected. Many have crashed and networks have slowed to a crawl.
The Internet Explorer vulnerabilities could enable an attacker to run unwanted software on a computer and even take control of it if a victim were to visit a malicious Web site, the company said on Thursday.
With one of the vulnerabilities, a computer user could be vulnerable by clicking on a Web address link in an e-mail, according to Microsoft.
The flaws come on the heels of a series of worms that have bombarded computer users since early last week. Blaster, which exploits a hole in Windows and crashes computers, was followed this week by Welchia, which was written to clean up after Blaster and patch the hole, but congests networks.
Another new worm, Sobig.F, was overwhelming many e-mail systems and leaving a back-door on infected computers that experts said could be used later on to turn it into a spam machine, or a conduit for generating or sending unwanted e-mails.
AS THE WORM TURNS
Security experts were divided on the seriousness of the threat posed by the Internet Explorer security holes.
“It is very trivial to actually exploit it,” said Marc Maiffret, chief hacking officer at eEye Digital Security, which discovered the more serious of the two vulnerabilities. “It’s a bug that tricks IE into running content that it shouldn’t, like executables.”
However, Russ Cooper of TruSecure Corp. said the vulnerabilities were not that likely to be exploited. “We just don’t see malicious code writers using this stuff,” he said.
Earlier in the week, Microsoft launched its “Protect Your PC” campaign to encourage people to install security software, such as anti-virus programs, and to regularly update the fixes and patches for their other software.
Microsoft is considering offering automatic software updates that users can then opt out of, said Jeff Jones, director of security for the Microsoft Security Business Unit.
In addition, the company may activate by default certain security features in Windows, such as Internet Connection Firewall. “We’re certainly exploring defaulting more for security and we think that is what customers are asking for,” he said.
Maiffret said some people may still want to install software updates themselves since there have been patches, when not installed correctly, could actually cause more computer problems.
Cooper, meanwhile, said the automatic update idea would “dramatically reduce the number of attacks that we see.”
Microsoft launched its “Trustworthy Computing” initiative in January 2002 in an effort to reduce the number of security problems that affected its software. The move included special training for programers, but some experts have said the results may not be seen until future products are released.
Information and patches can be downloaded from http://www.microsoft.com/security.
- Hacker infects 100K routers in latest botnet attack aimed at sending email spam
- NSA tools are still letting hackers take over unpatched systems
- The internet’s free-wheeling spirit is dying, and we have malware to thank
- 415,000 routers worldwide reportedly infected with cryptojacking malware
- Sennheiser’s flawed headphone software is a Trojan horse hackers could exploit