Hackers abuse flaw in Microsoft browser

By Wang Xing (China Daily)
Updated: 2008-12-13 08:46

Online attackers have begun exploiting a flaw in Microsoft's Internet Explorer (IE) browser to hack websites and install hostile codes on computers running Windows.

The attacks continued on Friday with the situation getting worse by the hour.

Experts estimated the recently discovered flaw may eventually affect millions of Internet users.

The flaw has already been used by attackers who have hosted it on hacked websites to attack unsuspecting visitors.

In attacks, the code, which exploits a bug in the way IE handles XML (Extensible Markup Language), drops a malicious program on the victim's PC, which then downloads malicious software from other locations.

Wang Jianfeng, general manager of the customer service center at Beijing Rising International Software, one of China's largest online security companies, said more than 30 percent of the attacks it has monitored have taken advantage of the IE flaw.

"Because Microsoft has yet to release a patch for the flaw, victims are quickly spreading," Wang said.

The number of affected users in the country could eventually be millions, he said.

Shi Xiaohong, an engineer with online security firm Qihoo 360, said: "The impact of the flaw is very severe because it enables attackers to not only infect computers through IE, but also hack into users' machines through programs like Word, Outlook and other software that run XML-based file or code."

Qihoo 360 discovered the first attack using the exploit on Tuesday afternoon, and visits to malicious websites directed by the infected computers had surpassed 1.46 million two days later, he said.

The flaw was made public on Monday by a security group called the Knownsec team. In tests, it worked on IE 7 running on Windows XP, Service Pack 2.

Microsoft failed to provide the patch for the exploit on Tuesday, the company's latest Patch Day on which Microsoft delivered eight updates.