NEW YORK: An undocumented flaw in Microsoft's Internet Explorer is being exploited by unscrupulous hackers to infect computers with malicious programs.
According to security experts, a number of pornographic websites, primarily located in Russia, are known to be using this vulnerability and launching attacks on computers using all the versions of IE 6, which has an unpatched error in the way software processes the Vector Markup Language code, basically used for image display.
The flaw and its exploitation by the online criminals were discovered by security experts at Sunbelt Software Inc. last week while carrying out online surveillance of known hacking gangs. Eric Sites, a researcher at the company, said the attacks seem to originate at the moment from hardcore porn sites. But it is a matter of time for other criminals to join the fray.
Sites says users of IE, who visit the sites that launch the attacks, can expect their computers to be infected with the BigBlue keystroke logger, which is capable of capturing data from the compromised computers including screenshots and keystrokes and web cam and microphone data. It can also record instant messaging chat sessions, e-mail information and the websites visited by the user. The malicious program can install the Spybot worm and VXGame Trojan, as well as adware titles such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue and the bogus anti-spyware program SpySheriff.
Sites admits the true potential of the attacks has still not be assessed.
Sunbelt had notified Microsoft about the vulnerability.
An earlier flaw in IE had been exploited by crime groups to attack people who visited a small number of fringe or hardcore porn sites. Several computers were thus infected with spyware.
Security company VeriSign too warned of the flaw. Ken Dunham, director of the rapid response team at VeriSign's iDefense, said this new zero-day attack is trivial to reproduce and has great potential for widespread web-based attacks in the near future.
Microsoft said it is planning to fix the flaw as part of its monthly patching cycle on 10 October.
Sites said as an immediate remedy users can turn off JavaScript.
