Microsoft admits security flaw; Stop Exploring, experts say

December 16, 2008

There's a critical security hole in Internet Explorer, the world's most popular web browser.

The unpatched vulnerability, first discovered by hackers and recently acknowledged by Microsoft, could allow someone to gain access to a computer through a website that executes a malicious code. Some 10,000 sites have been compromised so far, putting passwords, financial data, and other sensitive information at risk.

In a lengthy security advisory memo on its website, Microsoft urges users to change their "Internet zone security setting" to "high" and to run the browser in "Protected Mode."

Computerworld has a good tech-heavy breakdown of the exploit and the best way savvy surfers can disable its ability to affect their machines. But the easier solution may just be to drop IE.

Internet security firm Trend Micro's Rick Ferguson told the BBC that "if users can find an alternative browser, then that's good mitigation against the threat."

Microsoft has come out against users switching to another browser, citing security flaws. "It would not be advisable to send people from one vulnerability (in Internet Explorer) to multiple vulnerabilities," Windows head at Microsoft UK John Curran told the BBC.

That statement could be in reference to a report out this week on the password managers of popular browsers. It ranked Chrome and Safari at the bottom of the list of how securely browsers safeguard login information.

Though this new exploit is the real deal and should be taken seriously, Wired News reminds that garden variety PC users needn't worry just yet.

If you're the pry-it-out-of-my-cold-dead hands sort of IE fan, there is one bright side to news that some 10,000 sites are ready to pwn your PC: so far the sites are mostly Chinese and the malicious software is mainly after passwords for computer games, which can be sold on the black market.