Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
A dangerous security hole has been discovered in Microsoft's Internet Explorer.
Spanish security expert Juan Carlos Cuartango discovered the hole, which allows attackers complete access and control over any computer running any version of the Windows operating system and Internet Explorer Versions 5 and 5.5.
An attacker can gain control of another user's machine using an HTML-formatted e-mail with an attachment that contains a small remote-control program. The e-mail can be sent directly to the victim, or can be placed on a website.
Unlike previous e-mail-activated attacks, the victim of this attack does not have to download the e-mail or click on the attachment for it to work. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a website, and a user opens the e-mail or visits the website, Internet Explorer automatically runs the excecutable program on the user's computer.
Typically, attackers will exploit the hole by sending a provocative e-mail to prospective victims in an attempt to lure them to the malicious website.
Once a computer has been compromised, the attacker -- working from a remote location -- can do anything the computer's owner could do on the machine.
"This is the biggest Microsoft Internet Explorer vulnerability I have ever discovered," said Cuartango, who details the hole and its ramifications for Windows computer users on his Spanish-language website.
Microsoft was not immediately available for comment, but has released a "critical" security alert as well as a patch to fix the hole.
Microsoft strongly advises "all customers using Microsoft Internet Explorer to install the patch immediately."
The company says full documentation of the problem will be posted by Saturday.
Cuartango said he alerted Microsoft to the problem on Feb. 14.
"Microsoft responded immediately and their security team also started working immediately to produce a fix," he said.
