Nearly two weeks after Microsoft issued an advisory about a security problem with its Internet Explorer web browser, the software giant still hasn’t released a patch to fix it, leaving millions of users vulnerable to hackers, security vendors warned Friday.

The security vulnerability that allows hackers to launch malicious software onto computers through web sites affects all Windows users except those running Windows Server 2003, Microsoft said in its advisory released November 21.

But the software giant has still not issued a patch to fix the issue. Typically, Microsoft issues fixes for holes in its software in the form of monthly patches released on the second Tuesday of every month, called “Patch Tuesday.” Microsoft’s next bundle of security patches is not due until December 13.

“It wouldn't be a surprise if more malware was distributed that took advantage of this vulnerability in Microsoft’s code,” said Graham Cluley, senior technology consultant for security firm Sophos. “Everyone who uses the Net needs to be very careful about what web sites they visit, which email links they click on, and to ensure their defenses are always up to date.”

IE is the world’s most widely used browser with about 85 percent of the market, followed by Mozilla’s Firefox, a distant second with around 11 percent. Opera, a rival browser from Norway, has just about a 1 percent share (see Firefox Share Rises Again).

Microsoft declined to comment on the possibility of a patch being released earlier than its monthly schedule, saying the company had nothing to say except for the security advisory it released earlier.

The issue was originally reported in May. At the time, it was regarded as a problem of browser stability. But slowly, the vulnerability has morphed into one that can be exploited by hackers to launch attacks on computers.

Mr. Cluley said Microsoft will be “fuming” that its software is being brought into question before the company has a chance to issue a security patch.

“It will be interesting to see if they decide to break the cycle and release a patch earlier in response to the increasing number of exploits of this problem,” said Mr. Cluley.

Exercise Extreme Caution

Sophos suggested the only way users can protect themselves now is to exercise extreme caution while surfing.

That malware is exploiting a vulnerability in IE indicates a renewed focus by hackers on applications that run on personal computers as opposed to servers or operating systems, said Dave Cole, director, security response at Symantec.

In 2004, there was a huge spike in threats that exploited browser vulnerabilities but those tapered off in the beginning of the year. Now, they are making a comeback, said Mr. Cole.

“Earlier, there were low-level attacks where hackers went after the system itself,” he said. “But with increased usage of firewalls and greater filtering by ISPs [Internet Service Providers], attackers are looking to lure users to places where they can entice them into downloading something.”

IE is not the only browser to face security threats. Recently, a security researcher released news about an un-patched flaw in Firefox (see Mozilla Tests Browser Upgrade).

“Security hazards are not something that you can offset by using Opera and Mozilla,” said Mr. Cole.“It’s a problem that affects everyone but Internet Explorer is hands down the most targeted because it has the most market share.”

In its security advisory, Microsoft included instructions on how to clean infected computers (see Microsoft Security Advisory).

Nearly two weeks after Microsoft issued an advisory about a security problem with its Internet Explorer web browser, the software giant still hasn’t released a patch to fix it, leaving millions of users vulnerable to hackers, security vendors warned Friday.

The security vulnerability that allows hackers to launch malicious software onto computers through web sites affects all Windows users except those running Windows Server 2003, Microsoft said in its advisory released November 21.

But the software giant has still not issued a patch to fix the issue. Typically, Microsoft issues fixes for holes in its software in the form of monthly patches released on the second Tuesday of every month, called ‘Patch Tuesday.’ Microsoft’s next bundle of security patches is not due until December 13.

“It wouldn't be a surprise if more malware was distributed that took advantage of this vulnerability in Microsoft's code,” said Graham Cluley, senior technology consultant for security firm Sophos. “Everyone who uses the Net needs to be very careful about what websites they visit, which email links they click on, and to ensure their defenses are always up to date.”

IE is the world’s most widely used browser with about 85 percent of the market, followed by Mozilla’s Firefox, a distant second at around 11 percent. Opera, a rival browser from Norway, has just about a 1 percent share (see Firefox Share Rises Again).

Microsoft declined to comment on the possibility of a patch being released earlier than its monthly schedule, saying the company had nothing to say except for the security advisory it released earlier.

The issue was originally reported in May. At the time, it was regarded as a problem of browser stability. But slowly, the vulnerability has morphed into one that can be exploited by hackers to launch attacks on computers.

Mr. Cluley said Microsoft will be “fuming” that its software is being brought into question before the company has a chance to issue a security patch.

“It will be interesting to see if they decide to break the cycle and release a patch earlier in response to the increasing number of exploits of this problem,” Mr. Cluley said.

Exercise Extreme Caution

Sophos suggested the only way users can protect themselves now is to exercise extreme caution while surfing.

That malware is exploiting a vulnerability in IE indicates a renewed focus by hackers on applications that run on personal computers as opposed to servers or operating systems, said Dave Cole, director, security response at Symantec.

In 2004, there was a huge spike in threats that exploited browser vulnerabilities but those tapered off in the beginning of the year. Now, they are making a comeback, said Mr. Cole.

“Earlier, there were low level attacks where hackers went after the system itself,” he said. “But with increased usage of firewalls and greater filtering by ISPs [Internet Service Providers], attackers are looking to lure users to places where they can entice them into downloading something.”

IE is not the only browser to face security threats. Recently, a security researcher released news about an un-patched flaw in Firefox (see Mozilla Tests Browser Upgrade).

“Security hazards are not something that you can offset by using Opera and Mozilla,” said Mr. Cole.“It’s a problem that affects everyone but Internet Explorer is hands down the most targeted because it has the most market share.”

In its security advisory, Microsoft included instructions on how to clean infected computers (see Microsoft Security Advisory).