Tuesday, December 16, 2008

Media fail to report major Internet risk

Millions of computer users around the world are at risk after Chinese security experts inadvertently revealed holes in Microsoft’s Internet Explorer browser. The vulnerability was first revealed last week by the Chinese security team Knownsec. It said on Tuesday 9th December it mistakenly released exploit code thinking that the problem was already patched, iDefense said [computerworld].

Unfortunately there was no patch and by the weekend around 0.2% of the world’s computers has been “exposed to websites containing exploits of this latest vulnerability according to researchers Ziv Mador and Tareq Saade on their blog. The hole enables hackers to place code on websites which enable them to steal passwords from subsequent visitors. Initially the affected sites appeared to be pornographic websites, however the problem has grown significantly with many other sites now affected. Security experts warned that the number of affected sites was growing exponentially and while some attacks were launched to steal passwords to online gaming their was an increased risk the exploit could be used to steal more sensitive data.

By Sunday many security experts were advising PC users to use a different web browser, such as Firefox, Flock or Google Chrome, until Microsoft came up with a solution. But it was only on Tuesday morning that major news organisations began to cover the story. Many may still be unaware of the risk as the item is buried away in the tech pages of news websites and the back pages of newspapers. The BBC mentioned the news on their website at 09:20 GMT but their 24 hour news channel did not report the ‘Breaking News’ until 11:15 GMT, about a week after the exploit was discovered!

As for a solution, it is unclear when Microsoft, who only recently issued its biggest group of patches in five years, will release a patch for this vulnerability. Such patches often take time to develop and a scheduled patch release is not due until 13th January 2009. An emergency release may come but until then computer users are told to be extra vigilant with their online activity.

Microsoft advises users to use IE in protected mode, but this is only available to Vista users. Symantec gave a far more comprehensive ‘work around’ but many users would probably be baffled by the list.

The news of the security failure could not have come at a worse time for Microsoft as it prepares to launch a new operating system Sky News. Windows 7 may not be out for some time but with more and more holes appearing in Microsoft products, many computer users may start to look elsewhere.

No comments: