Microsoft announced it would produce patches for the three bugs that affect its Internet Explorer browser in its next security update due on April 11.
The patches will be released
earlier however, if the threat grows significantly, according to the posting on Microsoft's Security blog
, did say however that A posting on the Microsoft Security blog
"If warranted we will release that update as soon as it's ready to protect customers. Right now our testing
plan has it ready in time for the April update release cycle," wrote Stephen Toulouse, Program Manager in Microsoft's response center.
Various security firms have said about the IE vulnerabilities that they were already being targeted by malicious hackers keen to catch out unsuspecting users.
The first of the bugs discovered in Microsoft's browser will simply make the browser program crash if it is
used to visit a specially crafted web page.
The other two problems are potentially more serious because they can be used to take control of a
Specially written web sites and hijacked servers are already being used to host the
malicious code that uses the loopholes to invade vulnerable machines, according to security firms.
Consumers using the patched versions of IE bundled with Windows 2000, Windows XP and Windows Server 2003 are
concerned about these bugs. People trying out the Beta 2 version of Internet Explorer 7 are safe.
To avoid falling victim, Microsoft urged users to avoid web sites they did not trust and to avoid
opening attachments on e-mail messages from unknown senders.
In the meantime, eEye Digital Security released a temporary fix on Monday for Internet Explorer.
The unofficial fix
blocks access to the attackable component in the Microsoft web browser, preventing malicious web sites from taking advantage of the vulnerability, said Steve Manzuik, security product manager at eEye in Aliso Viejo, California.
Though eEye's patch does protect PCs against attacks that take advantage of the flaw, the company recommends installing the fix only as a last resort. "Organizations should only install this patch if they are not able to disable Active Scripting as a means of mitigation," Manzuik said. Disabling Active Scripting is Microsoft's suggested work-around.
"This patch is not meant to replace the forthcoming Microsoft patch, rather it is intended as a temporary protection against this flaw,"Manzuik said.
Microsoft doesn't recommend installing eEye's fix though. "We have not tested this mitigation tool," said Stephen Toulouse. "We can't recommend it because we have not tested it...Customers should weigh the risk of applying something like this to their systems."