Well, that didn’t take long. In my post yesterday about the use of a newly-discovered vulnerability in Internet Explorer to attack Google and other targets, I suggested that “Today’s ultra-sophisticated attack will be packaged for use by script kiddies before you know it”.
According to an article in IT World, the code used in the attacks has now been published on the Internet, and has started to show up in other attacks. As it stands, the exploit is extremely easy to use against machines running Internet Explorer 6 on Windows XP. Later versions of IE are more difficult to exploit, and machines running Windows Vista or Windows 7 with Data Execution Protection enabled are also somewhat less vulnerable. As I mentioned in yesterday’s note, Microsoft has issued a Security Advisory on the vulnerability. There is speculation, although no firm information, that Microsoft may issue an out-of-schedule security fix for this flaw before the next scheduled “Patch Tuesday”, which is February 9.
Brian Krebs, in a post on his “Krebs on Security” blog, has suggested, as I have, avoiding Internet Explorer:
As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple’s Safari for Windows.
The German Bundesamt für Sicherheit in der Informationstechnik (Federal Office for IT Security) has also recommended (in German) that users avoid using Internet Explorer, at least until Microsoft can issue a patch.