Sunbelt Software have recently (21st September 2006) discovered a serious flaw in Internet Explorer that potentially allows vulnerable machines to be completely compromised.
According to yesterday's BBC report, Microsoft are still considering whether the flaw is sufficiently serious to release a patch to remedy the flaw sooner than the next scheduled tranche of patches, due on Tuesday, 10th October 2006.
Worryingly, the flaw has already been exploited according to researchers at Sunbelt Software. They have visited web sites which implement the so-called VML Exploit that have downloaded large amounts of spyware and other malware to otherwise fully protected and patched machines.
Alex Eckleberry of Sunbelt Software mentions in his blog of 25th September 2006 that the firm has started to see spam emails (in the guise of Yahoo greetings cards) that lure victims to web sites with the exploit code. The Sunbelt Blog currently has a lot of information on this vulnerability. (The SecuriTeam Blog has a FAQ for those interested in some of the more technical aspects of the exploit.)
Thankfully, this doesn't get that close to our "zero-day scenario" in which a mass-mailed virus is automatically triggered on arrival in end-user's inboxs, exploiting unpatched flaws, but it is another timely reminder that known flaws are being actively exploited before official patches are made available.
We currently do not generally advise applying third party patches that are fast becoming the rage, simply because they could cause as much trouble as they are meant to prevent.
We would advise people to be particularly vigilant when handling email. We strongly advocate ensuring that end-users remain alert. It has often been human vigilance that has saved the day rather than automated protection.
If you would like further advice, please contact us.