Microsoft acknowledged Tuesday that malicious software targeting an unpatched bug in Internet Explorer is on the loose, and urged users to run a complete system scan on its new Windows Live Safety Center -- which has a quirk of its own -- to detect and delete the code.
In an update of a security advisory issued Nov. 21, Microsoft noted that both proof-of-concept code and an exploit are in circulation. The exploit can compromise PCs running IE on a host of the company's operating systems, including Windows 98, Windows Me, Windows 2000, and Windows XP.
The bug, which was reported to Microsoft in May, was first thought to pose only a denial-of-service (DoS) attack risk, but more recent research by security vendor Computer Terrorism Ltd. said that the flaw could be used to hijack a machine simply by luring users to a malicious Web site.
While Microsoft has not produced a patch for the vulnerability, it said users could choose the "Complete Scan" option at its free-of-charge Live Safety Center site to check for and remove the malicious code.
In the advisory, Microsoft repeated its promise that it would "take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
The advisory includes several workarounds to deflect attacks, including disabling Active scripting in Internet Explorer by choosing Tools/Internet Options, clicking the Security tab, clicking on the Custom Level button, scrolling to the Scripting section, and selecting the Disable radio button next to Active scripting.