Security Patch Won't Fix Notorious IE Flaw

[nsane.forums]

A flaw in Internet Explorer 6 and 7 that allows hackers to run any program remotely on a PC without the user's knowledge will not be fixed in Microsoft's security update this month.

Compared to last month's bumper update that fixed a record 49 bugs, November's Patch Tuesday, which will be issued next week, will only fix 11 vulnerabilities via three bulletins.

The patch for Office for Windows is rated "critical" while the patches for Office for Mac 2011 and Forefront Unified Access Gateway have been labeled "important."

According to Symantec, Hackers use an email with a link that when clicked on identifies whether the web user's browser is IE6 or IE7. If so, the script transfers the visitor unknowingly to a malicious website where the malware infects their PC, subsequently allowing hackers to run programs remotely. Microsoft has urged users to upgrade from IE6.

Microsoft confirmed it is aware of the flaw and in an advisor said it was investigating the vulnerability.

"We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs aware of the vulnerability and posted an advisory"

Symantec said it has already identified incidences where the flaw is being exploited but did not know "the number of compromised machines."

"The threat does not appear to be targeting any one specific industry," Symantec said.

View: Original Article