Microsoft Responds (but does not fix) Recent exploits regarding the Internet Explorer HTML handling vulnerability

03/28/2006 Update: This is just getting Worse The vulnerability in Internet Explorer that we reported on Friday is quickly being taken advantage of, says the Washington Post's Brian Krebs, and more than 200 web sites have been altered by hackers to include malicious code to exploit it. Sites being seeded with infectous code include small business sites that most users would never suspect of harboring malicious software. When an Internet Explorer user visits such a site, all kinds of malware may be silently installed on their computers, including programs which steal passwords and credit card numbers. Microsoft has yet to release a patch and likely won't for another two weeks when Patch Tuesday rolls around. They're still advising users to disable Active Scripting, but Krebs is recommending much more direct action that I echo: drop Internet Explorer and install Firefox or Opera. For those of you STILL using Microsoft's Internet Explorer you'll be wanting to take a look at Brian Krebs' latest update on the most recent flaws in the software and links to the new unofficial patches. The patches are free, but again, unofficial. They are designed to repair flaws that hackers can access to steal passwords. I’m starting to use Internet Explorer less…and…less. Saturday the Microsoft Security Response Center became aware of public reports of attacks on some PC users utilizing the vulnerability that Lennart posted about in Internet Explorer. Here's what we know. The attacks are limited in scope for now and are being carried out by malicious Web sites exploiting a vulnerability in the method by which Internet Explorer handles HTML rendering. To be clear, and as our advisory states, the vulnerability affects currently supported versions of Windows 2000, Windows XP and Windows Server 2003. So. What are the IE team and the MSRC doing right now? Well, first off we're working day and night on development of a cumulative security update for Internet Explorer that addresses the vulnerability. As we've been told many times, the focus should be on quality, but with a clear eye towards time. The security update is currently being finalized through testing to ensure the level of interoperability and application and web compatibility needed. Right now, the update is on schedule testing wise to be released (meeting the quality goals customers have asked for) as part of the April security updates on April 11, 2006. But as I said, we're actively keeping an eye on any attempts to utilize this in an attack. We'll release it sooner if warranted. Right now we're monitoring the attempts to exploit this vulnerability and we're working with our industry partners and law enforcement to remove the malicious Web sites using the vulnerability as they pop up. That's a key point because it's important that we work to limit the ability of attackers to utilize this vulnerability in criminal attacks. I want to caution everyone that they should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code. If you are concerned about exploitation of the vulnerability by websites you frequently visit though, you should follow the guidance on safe browsing at: http://www.microsoft.com/athome/security/online/browsing_safety.mspx. Enterprise customers should review our recent Security Advisory (917077) for up-to-date guidance on how to prevent attacks through exploitation of this vulnerability while we work on the update. One other thing to note. Everyone should know that the security update addressing this vulnerability is a cumulative update that contains all previous security updates for Internet Explorer, new security updates for issues unrelated to the current attacks, as well as minor non-security related changes to how Internet Explorer handles some Web pages that use ActiveX controls. For more information on these changes, you should check out security advisory 912945. The MSRC and your Internet Explorer team is working on this issue day and night. This is an ongoing issue and we will post more guidance as it becomes available.