It is now known that the web browser, used by 900 million people across the globe, requires a software patch in order to defend against attack while Microsoft prepares a longer term fix, a massive security slip up by the firm.
A security advisory announcement was made on Friday highlighting scripting vulnerabilities affecting all versions of Windows.
It is not however thought that there has been any breaches of security so far: “The main impact of the vulnerability is unintended information disclosure,” said Angela Gunn, a Microsoft representative.
“We’re aware of published information and proof-of-concept code that attempts to exploit this vulnerability, but we haven’t seen any indications of active exploitation.”
The fault lies in the MHTML protocol handler, which is used by applications to render certain kinds of document.
According to the statement an attacker could, for example, construct an HTML link designed to trigger a malicious script and then persuade the targeted user to click on it.
Once this happens the script would then be able to run on the machine for the rest of that IE browser session, potentially collecting information from emails, sending the user to fake sites and generally interfering with the browser usage.
“The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation,” Gunn said.
“We’re also in communication with other service providers to explain how the issue might affect third-party Web sites and to collaborate on developing a variety of further solutions that address the varied needs of all parts of the Internet ecosystem – large sites, small sites, and all those who visit them.”
People are advised to return to the Microsoft Security Response Centre to check for any update on the situation. The fix can be found here.