Over the weekend, there were reports of exploits appearing for the drive-by Internet Explorer security hole reported last week. Now they are cropping up in a lot of unexpected places. Brian Krebs at the Washington Post:
More than 200 Web sites — many of them belonging to legitimate businesses — have been hacked and seeded with code that tries to take advantage of a unpatched security hole in Microsoft’s Internet Explorer Web browser to install hostile code on Windows computers when users merely visit the sites.
In an update to its Security Response Web log, Microsoft security program manager Stephen Toulouse said the attacks Redmond is seeing against the IE flaw “are limited in scope for now and are being carried out by malicious Web sites.”
I have to call Microsoft out on both counts, and I think some of what I’ve uncovered so far about these attacks should make it clear that the situation is serious and getting worse by the hour.
According to a list obtained by Security Fix, hackers have infected at least 200 sites, many of which you would not normally expect to associate with such attacks (i.e., porn and pirated-software vendors). Among the victims are a regional business council in Connecticut, a couple of vacation resorts in Florida, a travel-reservation site, an online business consultancy, an insurance company, and a site featuring things to do at various cities across the country.
Many more details by following the link including reports from victims. Steven J. Vaughan-Nichols asks, “Why Is Anyone Still Using Internet Explorer?” Even accounting for hyperbole, now might be a good time to try a different browser for a while.