By Stephen H. Wildstrom Security experts had been waiting for a couple of weeks for the shoe to fall. On June 11, US-CERT, the government-funded computer-security watchdog at Carnegie Mellon University warned that a flaw in Microsoft Internet Explorer could allow a Web site to dump malicious programs onto Windows computers. The alert was highly unusual because CERT normally avoids public warnings about vulnerabilities until patches to fix them are available.
By Friday, June 25, it became clear why the experts were worried. Reports started flowing from security services that unsuspecting computer users were being hit by a program that could log their keystrokes, grab account information and passwords, and send them back to a computer in Russia. The initial assault was stopped over the weekend by shutting down the Russian site and updating antivirus software to deal with the program, known as either JS.scob.trojan or download.Ject. But the basic vulnerabilities remain, and a second wave of attacks seems likely.
Before that happens, here are some answers to key questions about this latest vulnerability and what can be done about it:
What makes this risk unusually serious?
Internet Explorer has been long known to be vulnerable to the covert downloading of software from malicious Web sites. In the past, this has been a problem only with sites of dubious virtue, especially those specializing in porn, cracked software, and music sharing. The latest attacks exploit a separate flaw that can corrupt even "legitimate" Web sites that run Microsoft's popular Internet Information Services software, which is used to serve Web pages to site visitors. And the nasty program can be downloaded without any action by the user. Merely visiting the corrupted site is all it takes.
What Web sites were affected?
Those who know aren't saying, for both security and legal reasons. "[Web site owners] who don't warn their users risk both reputational and legal liability," wrote Alan Paller, research director of the SANS Institute, a nonprofit security research and education organization, in the organization's @RISK newsletter. "Those who do tell are also at risk." Without naming names, a bulletin from the SANS Internet Storm Center reported "a large number of Web sites, some of them quite popular, were compromised."
What does Microsoft plan to do about the problem?
That's not clear. The underlying flaw in IE, one that allows Web sites to trick the browser into trusting them, has been around in one form or another for at least four years and has defied numerous patches designed to repair it.
A new version of IE, part of a Windows XP operating system update known as Service Pack 2, makes major architectural changes and appears to fix the vulnerability. But SP2 is not expected to be released until August, and it's not clear whether Microsoft will offer a patch in the interim. (Microsoft hadn't responded to requests for comment by the time this piece was published.)
So what can I do to protect myself in the meantime?