By Walaika Haskins TechNewsWorld Part of the ECT News Network
12/18/08 8:47 AM PT
It took over a week, but Microsoft engineers have come up with a patch to mend a critical vulnerability in Internet Explorer. The security bug in the world's most-used Web browser was discovered shortly after Microsoft's regular patch dispatch. The timing and the level of publicity the vulnerability received motivated the company to create and issue an out-of-band update.
Is Your Website Killing Customer Confidence? Your Website's privacy policy can be a key factor in a customer's decision to do business with you, and it is vital to ensuring you don't run afoul of your online legal and regulatory responsibilities. Need more reasons? Read on.
Microsoft (Nasdaq: MSFT) released a fix Wednesday that should protect Internet Explorer users from a zero-day exploit that emerged last week and rapidly evolved into a major attack vector for cybercriminals and hackers.
The vulnerability, rated "critical," affects Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 SP 1 and Internet Explorer 7. The software maker's latest release, Internet Explorer 8 Beta 2, is also affected, and Microsoft recommends that beta users also download and apply the update.
The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, the company said.
"Microsoft encourages all IE customers to test and deploy this update as soon as possible," Microsoft security response communications head Christopher Budd said during a live webcast Wednesday.
"It's an extremely serious threat, because hackers have been actively exploiting the software vulnerability on thousands of Web sites. Users who have visited these sites from vulnerable computers may find their systems infected, potentially stealing personal information from their PCs," said Graham Cluely, senior technology consultant at Sophos.
Out-of-Band Security Update
The vulnerability was discovered one day after Microsoft's most recent Patch Tuesday, its monthly dispatch of software updates and patches. It took eight days for company engineers to research the vulnerability and decide to release a fix before January's Patch Tuesday.
"Normally, when a vulnerability is exploited, it's a problem, but at least Microsoft has a fix. In this case, the vulnerability was being exploited, but there was no patch from Microsoft [until Wednesday]. Many people will still not have rolled out the fix. Fortunately, some antivirus companies were already able to defend users' computers -- but the Microsoft patch is the ideal way to permanently fix this security hole in Internet Explorer," Cluley told TechNewsWorld.
Microsoft took an relatively unusual step and released a so-called out-of-band security update, the second in two months, because the vulnerability was being so widely exploited by hackers. As Internet Explorer is the world's most-used Internet browser, there was a huge number of potential victims.
"The story of the Internet Explorer bug had hit the mainstream news and was damaging their reputation. Microsoft should actually be congratulated for producing a fix so quickly. Indeed, I suspect that they have done it in less time than it will take many people to install the patch on their own PCs," Cluley pointed out.
The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.
Dangerous Times
The mounting number of exploits taking advantage of the security hole, including those that hijacked legitimate sites to use them as a means of attacking visitors, only highlights cybercriminals' proclivity to wait for opportunities and strike unwary users.
"I don't think the cybercriminals ever took it easy. They don't take vacations, they don't take time off. One thing you can be sure of is that hackers will be continuing to steal money, data, identities and resources from Internet users throughout the holiday season and into 2009," stated Cluley.
Even if all IE users patch their browsers quickly, there will be other exploits discovered, and criminals will user other tricks -- including social engineering -- to make their fortunes, he said.
"It would also be very shortsighted for people who don't use Internet Explorer to feel smug," Cluely continued.
For example, Apple (Nasdaq: AAPL) just published a whopping 190 MB update to OS X which included numerous important security fixes. Opera updated from version 9.62 to 9.63 on Tuesday, also to close some known security holes. Firefox has just notified users of the release of version 3.0.5, fixing what are referred to as "several security issues," including three considered "critical -- vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing."
"One mitigating factor for Firefox and Opera users is that we're not yet aware of any active exploitation online of those vulnerabilities. Still, best not take the chance. Get those patches downloaded ASAP," he concluded.
Report: Hackers Will Be Bolder, Smarter, Craftier in 2009 December 15, 2008
Malicious computer hackers will utilize better technological and psychological techniques in the year ahead, according to a security report from equipment vendor Cisco. Targeted attacks, cross-vector attacks and a rise in threats originating from legit domains are the report's most concerning trends.
Related Stories
Hackers Having Field Day With IE Zero Day Attacks December 12, 2008
The Internet Explorer browser is under attack, and Microsoft has yet to figure out how to solve the problem. A vulnerability in the browser, along with the code to exploit it, were released in the wild shortly after the company issued its latest batch of patches.
IronPort Offers New Layer of Armor Against Invisible Web Menaces September 22, 2008
IronPort Systems' new Exploit Filtering technology is designed to protect against trusted Web sites that have been unwittingly tainted by cross-site scripting exploits, SQL injections, invisible iFrame redirects, and other nasty infections. When trusted Web destinations like banking sites are victimized by malware, both the proprietor of the site as well as the visitor are often unaware of the intrusion.
Internet Explorer 8's Privacy Controls Worry Advertisers August 26, 2008
Microsoft will incorporate new privacy-protection features into the upcoming Internet Explorer 8, to the delight of privacy advocates and the consternation of advertisers. In particular, the "InPrivate Blocking" feature has the potential to block some advertisements.
Related News Alerts
More by Walaika Haskins
ZeeVee's Zinc Browser Gets Web TV Right April 29, 2009
The Zinc Browser from ZeeVee updates the old Zviewer with tighter navigation and better catalog options. The finished application offers a great way to find TV shows and movies anywhere on the Web, regardless of whether they're hosted by Hulu, CBS, Netflix, Amazon's on-demand service or others.
Game Sales Sputter, 'GTA' Fails to Steal the Show April 23, 2009
It may appear as though the video game industry is beginning to join the economy at large in its slump, as March numbers from NPD were less than encouraging. However, a year-over-year perspective is difficult due to the timing of game releases and holidays. Meanwhile, Take-Two hasn't seen much success in introducing its violent "GTA" series to the Nintendo DS.
Can Microsoft Win the Online Game? April 16, 2009
Now that the major video game consoles have been on the market for two and a half years -- or more -- hardware sales have slowed considerably. Online services, however, still have room to grow. InStat says subscriber bases will take off in the coming years, and Microsoft's Xbox platform may come out the big winner.
Headline Feeds
Talkback: 
