After more than two weeks of investigating the IFRAME Bofra exploit, Microsoft has yet to announce when it will be able to fix the problem.
The software giant was unable to provide any further answers to ZDNet UK as to when it expects to resolve the flaw for its customers. In a prepared email statement from the company, a spokesperson said: "Microsoft is actively investigating new public reports of a criminal attack, known as Bofra, attempting to exploit a vulnerability in Internet Explorer's treatment of an HTML element known as IFRAME."
The spokesman added that Microsoft is working to forensically analyse the malicious code in Bofra and "will work with international law enforcement to identify and bring to justice those responsible for this malicious activity".The exploit affects Internet Explorer 6.0 on Windows 2000 and XP SP1. Computers running SP2 are said not to be affected by the exploit.
Earlier this week, several Web sites were hit with banner ad Bofra exploits that directed users to other sites and downloaded malicious code onto their machines.
Analyst company Gartner has predicted that hackers will increase their use of the banner ad attack because of its wide-spread effectiveness.
The software giant added: "Microsoft is taking this vulnerability very seriously; accordingly an update to correct the vulnerability is currently in development. We will release the security update when the development and testing process is complete, and the update is found to effectively correct the vulnerability."
Microsoft has attacked independent researchers who made the IFRAME flaw publicly available. Within a few days of its publication, hackers had created an exploit for the vulnerability.
The company said that people who believe they have been attacked should contact their local law enforcement agency.
Talkback
A patch exists already - it's called FireFox. Or Mozilla. Or Opera. The only other choice for W2K or pre-SP2 XP users who can't upgrade is to keep off the Internet until MS can offer a fix of its own.
And it's not unreasonable to assume that this is going to happen again, either.
Hee hee, Chris - You are dead right.
I've been quite impressed with Firefox 1.0 so far. I'd read that a lot of company internal systems were written to only work with IE and would block or break other browsers, but I've used Fiefox with all my internal browser-based company systems (expenses, timesheets, general intranet, problem management system) and it works fine with them - and one of them is *much* faster. I came across one minor glitch with some non-standard Javascript (which didn't prevent we using that page) and when I researched it I found that this was already fixed in Firefox but didn't quite make it into 1.0. It will be in V1.1 early next year.
Also, Firefox is getting to the crucial stage where it will soon reach 10%+ market share and then it will be very hard for those websites that block out non-IE browsers to maintain that stance.
Amen, Chris. Been using Mozilla for a few months and not a problem has arisen.
Ive had mozilla Firefox as my browser for a couple of months now and I have not looked back ,apart when its time for window's updates, then I have to use creaky old explorer, and it takes an age to load up properly half the functions dont work! I dont know why I bother!
I really urge anyone one I can to go the Firefox way it's the only real safe way to surf the net... three cheer's for Mozilla Firefox Hip Hip Hurray!!!
I have tried Firefox but I have a repeated problem with it. Far too many sites when accessed cause the message
'this document has no data'.
I have assumed that they were gormless sites which would only work with IE.
But I am not so sure as there are too many, I can also download updates from microsoft using firefox.
If anybody has an answer I would be grateful for an email to brian_terry@tiscali.co.uk