The Microsoft Corp. has finally patched a problematic security flaw in Internet Explorer. After two failed attempts, the software titan was able to develop a patch that plugs a giant hole that could let in a Trojan horse capable of hijacking the browser and redirecting it to assorted Websites. The free download is posted on Microsoft's security site.
"We've tested it extensively, and it plugs the vulnerability that it's supposed to. In fact I'd be willing to give Microsoft kudos for their latest patch," Rob Shively, CEO of the network security consultancy PivX Solutions LLC, told PC World.com.
Microsoft shifted into high gear last week to fix Explorer following reports that a Trojan horse dubbed Qhosts-1 was spreading. The applet vandalizes PCs after sneaking in through a pop-up browser window. It then overwrites the Hosts file in the Windows directory, filling it with several megabytes of IP address redirections that send your browser to the hackers' Website when you try to access search sites such as Google or Yahoo. Some versions of the Trojan horse send your browser to porn sites.
"Trojan horses aren't self-replicating like viruses, and something that doesn't spread by itself is unlikely to be spotted by antivirus software," Andy Cianciotto, program manager for the security response team at antivirus software maker Symantec Corp, told PC World.com. "A personal firewall will spot a Trojan horse, though."
If a user is running Explorer without the patch installed, infection can occur very easily. A surfer simply has to visit a Web page that happens to be displaying the Trojan banner ad and its accompanying pop-up to get infected. The user doesn’t even need to press a key in order for Qhosts-1 to start overwriting your Hosts file.
To restore a system after a Qhosts-1 attack, simply delete the Hosts file, which is normally empty.
The security hole in Explorer permits pop-ups to run ActiveX scripts in areas of a PC that Explorer's security settings supposedly put off-limits to ActiveX, and it does so without any user input. The security threat is not only grave, it's easy for hackers to exploit. Microsoft has known about the hole since last summer and has provided three patches to plug it. The first two patches didn't work but the third appears to be doing the trick.
"Some low-risk vulnerability" remains, Shively said, but users who install the patch are fairly safe from malicious browser pop-ups.
Microsoft representatives declined to comment for this article.