These days the Internet reads like a bad movie script. Reuters reports that security holes in Microsoft’s Internet Explorer browser have been exploited by hackers to hijack AOL instant messaging accounts and force unsuspecting Web surfers to run up massive phone bills. Some Internet Explorer users are also finding that malicious Web sites are secretly slipping trojan programs onto their computers, according to eEye Digital Security, which discovered the original security vulnerability. Such stealth programs can include keystroke loggers that record everything a person types or software to erase the hard drive, among other things.
The attacks are accomplished by leading Internet Explorer users to a malicious Web site, either by sending an e-mail with a link to the Web page or distributing a link through instant messaging. When the Web site appears, it downloads code that can execute commands on its own onto the unsuspecting computer user’s machine, according to Copley. An attacker has written a program that uses a security hole in Internet Explorer to hijack an already running AOL Instant Messenger account, changes the password and send a message to the buddies list with a link to the malicious Web page, according to postings on the Bugtraq security e-mail list.
From the This Doesn’t Inspire Confidence Dept comes news that a patch recently released by Microsoft to fix a critical security vulnerability in its Internet Explorer browser does not work, according to security experts. CNET says that the vulnerability was discovered by eEye Digital Security around four months ago. The vulnerability in question can be exploited by crafting a malicious HTML file that, when viewed by an Internet Explorer browser, extracts and executes malicious code.
Two patches have since been released, but, according to eEye, neither fixes the vulnerability it is supposed to. If you’re worried, disable active scripting in your browser until Microsoft updates the patch. (Go to Tools/Options/Security/Custom Level, and then scroll down until you get to Active Scripting.)