474 days

Suzanne Choney

IE flaw could mean access to passwords

A recently discovered flaw in Internet Explorer could allow criminals to collect passwords and banking information. Microsoft is warning Windows users to be aware of the problem, with a manual work-around available, but there is no downloadable software fix available yet. (Msnbc.com is a joint venture of Microsoft and NBC Universal.)

So far, Microsoft says it "has not seen any indications of active exploitation of the vulnerability." More details are available here, along with a suggested workaround (check under the FAQ section), as part of the security advisory. Users of Windows versions from XP to Windows 7 are at risk, Microsoft says.

The software giant is continuing to investigate the Web browser flaw, which it says could allow an attacker to create script that could "spoof content, disclose information, or take any action ... on the affected Web site on behalf of the targeted user."

In its frequently asked questions area of the site, Microsoft notes that in a "Web-based attack scenario, an attacker could convince a user to click a specially crafted link that would inject a malicious script in the response of the Web request."

Chester Wisniewski, of Sophos security software, noted on the company's blog that there is "proof of concept code in the wild and it seems to be only a matter of time before we see criminals trying to exploit this flaw. For individuals, or people who only manage a small number of computers, Microsoft has provided a Fix it tool that allows (users) to apply their recommended settings without having to use GPOs or having to manually edit registry keys."

If you're unsure of what to do and don't want to fool with the Fix it tool, the best thing may be to switch to another Web browser for now, such as Firefox or Chrome.