An exploit is loose on the Internet that allows a Web site to infect a PC running a fully patched version of Internet Explorer 6, and Microsoft at this writing has no patch available to close the security hole.
According to an analysis published by Jelmer Kuperus, a computer science student in the Netherlands, the attack illustrates two new, previously unknown weaknesses in IE 6.
For now, the exploits that have been reported to be “in the wild” merely install a new toolbar into IE and then display pop-up ads, some of which are adult-oriented. (The toolbar is downloaded from a site known as I-Lookup, which is registered in Costa Rica. But the Trojan horse that exploits the IE hole could have been written by an independent affiliate, not someone associated with the site itself.) The security flaws, however, could easily leave a PC open to actual damage, if different code was substituted by a truly malicious hacker.
After Kuperus announced the problem on Full-Disclosure, a security mailing list, the flaw was confirmed by numerous organizations, including US-CERT and Secunia Security. The latter consulting group rated the seriousness of the problem as “extremely critical,” the highest category of threat.
Although Microsoft as yet has no patch to correct the IE 6 flaw, the upcoming Service Pack 2 (SP2) for Windows XP is said to close the hole. A new beta release of SP2 — Release Candidate 2 — came out on June 14. But, according to eWeek magazine, Microsoft has backed away from earlier promises that the final product will emerge in late July. It could be delayed into August or later.
Since it’s never recommended that you install a final build over a beta release, even one that’s been uninstalled, XP SP2 isn’t a viable solution for most Windows users at this time. Until XP SP2 is publicly available and you’ve installed it (if you decide to do so), there are steps you can take to understand and avoid the I-Lookup problem.