A critical vulnerability in Internet Explorer that is being actively exploited by malicious websites and emails is still unpatched after more than a week. Microsoft says that a cumulative security update to fix the problem, “is on schedule to be released as part of the April security updates on April 11, 2006, or sooner as warranted”.
The bad guys appear to have been reading the Microsoft advisory, which tries to downplay the seriousness of the vulnerability, saying it, “could not be exploited automatically through e-mail messages … Customers would have to click on a link that would take them to a malicious Web site…”. Some of the exploit attempts are using excerpts from actual BBC news stories and offer a link to "Read More". Naturally, the link leads to a fake site that looks like the BBC site but which contains the TextRange exploit.
Users should disable Active Scripting in Internet Explorer, or use another browser.