REDMOND, Wash. – A “zero day vulnerability” in Microsoft’s Internet Explorer browser, disclosed by the software giant Monday, already is being exploited by cybercriminals. Worse, Microsoft says there’s no fix for the problem, which allows hackers to take control of machines running Windows XP or Windows Server 2003 operating systems.
Perhaps worst of all, users do not need to interact with executable files or scripts in order to become infected. All that is required is a visit to any website within which a hacker has embedded a tiny snippet of code. The code allows browser-based video content to open a hole through which hackers can take control of the machine.
Dean Turner, director of Symantec Security Response, told The Associated Press his company has detected “an estimated several hundred legitimate Web pages with infections since July 1.”
“This kind of exploit in the wild, with no security patch yet available, has the potential to affect hundreds of thousands of people,” Turner told the AP.
Microsoft has warned all IE users with Windows XP or Server 2003 OSes to disable the browser’s video component until Microsoft software engineers develop a suitable patch. Microsoft’s Monday security advisory said the patch will be distributed “when it has reached an appropriate level of quality for broad distribution,” though the company has not speculated how long the process may take.
Users who subscribe to Microsoft’s Automatic Updates service will be fed the patch as soon as it is available. In the meantime, all users can find instructions for disabling the troublesome video component here.