Internet Explorer users are at risk from a new threat that uses a browser add-on to steal login information for nearly 50 banking sites, including Barclays and HSBC, security experts have warned.

The malicious file, which appears to be spreading via a pop-up ad, appears on the heels of an attack that used compromised servers on major e-commerce websites to infect fully-patched IE browsers. The fact that Microsoft hasn't yet released a patch for the latter bug should lead IT managers to seriously consider switching their users away from IE, at least temporarily, according to some security experts.

The latest threat takes the form of a Browser Help Object (BHO), a helper file that allows developers to customise IE. In recent months, hackers have used BHOs to install spyware on a user's PC. The add-ons are so closely integrated with IE that they are difficult to detect and remove, and aren't caught by anti-virus programs such as Norton Antivirus, security experts say.

The new BHO threat appeared last Thursday, when an unnamed "major dotcom" forwarded a suspicious file called "img1big.gif" to the SANS Institute. The file contained a "file dropper" Trojan which installed the BHO, a randomly-named .dll file inserted in the C:\WINDOWS\System32\ directory, according to SANS researcher Tom Liston. The file did not install properly on the intended victim's PC because of account restrictions. SANS issued an advisory on the attack yesterday.

The helper object watches for HTTPS (secure) access to any of several dozen banking and financial sites in several countries, including Citibank, Barclays, HSBC and Deutsche Bank, grabbing any potential login data before it is encrypted. The object then sends the data to the attackers, who researchers said appear to be in South America.

"I believe that this particular type of malware represents a huge threat to the online financial industry," Liston said in his analysis [pdf]. "As the proliferation of ad and spyware shows, installing executable software on users' machines is far too easy."

Users can avoid the threat by switching their IE security settings to "high", Microsoft said. In addition, the upcoming Windows XP Service Pack 2 will include a tool allowing the detection and removal of helper objects that are currently invisible to the user. The malicious code is apparently spreading via an old vulnerability in the way IE handles CHM (Compiled HTML Help) files, so fully-patched browsers may be less at risk.

IE may be too much of a risk for companies to continue using, at least until recently exploited vulnerabilities have been patched, according to security experts. In its advisory on the recent Web server-based attack, security organisation CERT noted that "it is possible to reduce exposure to these vulnerabilities by using a different Web browser, especially when browsing untrusted sites".

Yet switching browsers will not be a simple matter for many IT managers, partly because of user familiarity with the IE interface, and partly for technical reasons. "A decision to switch may reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX," said US CERT. In addition, Web developers argue that a large number of sites are effectively tied to IE because they are tuned to the quirks of the dominant browser rather than to industry standards.

Even if user objections can be dealt with, switching doesn't necessarily solve the problem. CERT notes that switching doesn't remove IE from a Windows system, and other programs may still invoke IE, the WebBrowser ActiveX control or IE's HTML rendering engine.

IE isn't the only browser to allow developers to install powerful helper objects - competing programs such as Mozilla and Opera have similar functionality, though it hasn't been exploited, researchers said.

Regardless of Microsoft's efforts at releasing timely patches and tightening IE security, the browser will remain a risk because nearly every PC uses it, according to security experts. "The primary reason for concern is the huge market dominance that Internet Explorer enjoys," said Symantec in its most recent Internet Security Threat Report. "Client-side vulnerabilities in Internet Explorer continue to pose potential threats to organisations."

There are few signs that IE's dominance is changing as a result of security worries. Google's Zeitgeist feature, which records how the site is used, noted a decline in IE 6.0 usage earlier this year, but the browser soon regained its upward trend. Alone, IE 6.0 accounted for more than 90 percent of the browsers visiting Google as of the end of May; earlier IE versions add to the figure. Netscape/Mozilla and "other" browsers are also on an upward trend but make up a fraction of the overall market.