Microsoft working on patch for IE flaw

Associated Press
Published August 20, 2005

SEATTLE - Microsoft Corp. was working Friday to come up with a fix for a flaw in its Internet Explorer browser that could let hackers gain remote access to computer systems through malicious Web sites.

A patch was not immediately available, though security experts played down the risk.

"If the user doesn't browse a malicious Web site, then the user isn't even under attack," said Gerhard Eschelbeck, chief technology officer at security company Qualys Inc.

Stephen Toulouse, a program manager for the software maker's Security Response Center, said the component that's the root of the problem does not come standard in the Windows operating system.

In an update to a security advisory the company had issued the day before, Microsoft said Friday that machines running Visual Studio 2002 without the Service Pack 1 update, or Office 2003 with Service Pack 3, could be vulnerable.

Microsoft said it knew of no customers who had been attacked.

The company urged Internet users to be careful about opening up Web links in e-mails and said it would release a security update once it had completed its investigation.

Thursday's advisory came after a French security research team published a "proof-of-concept exploit" showing how hackers could take advantage of the vulnerability.

Without referring to the exploit specifically, Microsoft said the flaw "was not disclosed responsibly, potentially putting computer users at risk."