Microsoft offers IE flaw workaround

Microsoft has released a workaround to a serious flaw in its Internet Explorer browser, but has not said when it will fully solve the problem.

First discovered nine months ago, the flaw is in the ActiveX scripting component of the browser. The vulnerability was recently used by malicious code called Download.Ject to download a Trojan onto PCs visiting certain web pages.

It is so serious that last week the US Computer Emergency Readiness Team advised companies to consider using other browsers for security reasons.

The workaround, issued on Friday evening, does not patch the flaw but "improves system resiliency to protect against the Download.Ject attack", according to Microsoft.

This configuration change blocks some ActiveX components from writing information onto the hard drive.

It is available from the Windows Update service for XP, Server 2003 and 2000 operating systems.

But the workaround does not apply to older operating systems, and users have not yet been given a date for an alternative.

The Microsoft statement continues: "In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protection for our customers."

The company claimed that XP Service Pack 2, due out "in the summer", will contain more security fixes. Service Pack 2 was originally scheduled for release last month.

Windows Update