New Security Flaw in Internet Explorer

Computer security experts are advising users of Microsoft's Internet Explorer to switch to another web browser until a major security flaw is fixed.

The problem, first revealed last week, allows criminals to hijack computers and steal passwords if the user visits an infected website.

As many as 10,000 sites have already been compromised to take advantage of the flaw, according to anti-virus software producer Trend Micro.

So far the websites, which are mostly Chinese, have been used to steal computer game passwords which can be sold on the black market.

But Trend Micro security researcher Paul Ferguson told the Associated Press there were major concerns that the problem could be exploited by "more financially motivated criminals for more serious mayhem".

Microsoft said it had so far only found attacks against version 7 of Internet Explorer, the world's most popular web browser, but warned that other versions were "potentially vulnerable".

In a security update issued yesterday, the computer giant said: "We are actively investigating the vulnerability that these attacks attempt to exploit.

"We will continue to monitor the threat environment and update this advisory if this situation changes."

Microsoft may fix the problem in its regular monthly security update or issue an emergency software patch.

The flaw is known as a "zero day" vulnerability because it has not been fixed yet, allowing cyber criminals to exploit it.

It was discovered on December 9, the same day Microsoft released its monthly security update.

Rik Ferguson, Trend Micro's senior security adviser in the UK, said this was a deliberate tactic by criminals to cause maximum confusion among computer users, who could wrongly believe they were protected.

"Zero days are unusual - and zero days in the world's most popular browser on the world's most popular operating system are really unusual," he said.

The expert said the flaw was of "really high value to the cyber-crime community", adding: "The threat from it is only going to grow."

Computers can be infected by visiting a legitimate website that has been compromised with a small piece of code that invisibly redirects the browser to an infected site.

Then a Trojan programme is downloaded to the hard drive, allowing criminals to do everything from stealing passports to using the machine to send out spam e-mails or even host a child pornography website.

Computer code that exploits the flaw is being sold on internet forums - but it was also released by Chinese researchers who incorrectly thought the problem had been fixed.

Mr Ferguson advised Internet Explorer users to download his company's free Trend Protect plug-in, which protects against the vulnerability.

He said changing to free rival web browser Firefox would "certainly be an option" but urged people who do this to use the NoScript plug-in.