Unpatched Microsoft Internet Explorer vulnerability being actively exploited


As many of you who follow the security scene will know, Microsoft released an advisory about a zero-day vulnerability in the Internet Explorer web browser a couple of days ago.

Sophos published its own analysis of the severity of the vulnerability that I would recommend you read if you haven’t already done so.

The bad news is that there isn’t an official fix for this vulnerability from Microsoft yet, and we are seeing real in-the-wild instances of websites being struck by SQL injection attacks that then serve up the exploit.

Fraser Howard goes into greater detail about this problem on the SophosLabs blog, explaining how the analysts in our research labs have developed protection against the current wave of attacks and how we have prepared proactive defences what may crop up in the future too.

The latest Sophos Security Threat Report discussed the rising tide of SQL injection attacks and the threat posed by hacked websites (there have been three times more infected webpages discovered during 2008 than in 2007, with one new victim found every 4.5 seconds).

If you haven’t yet managed to convince your bosses of the needs for comprehensive protection against web-borne threats, maybe now is the time to do it.