Microsoft Issues Emergency IE Security Patch in Response to Google Cyber Attack
Microsoft Corporation issued a critical patch on Thursday for Internet Explorer that secures eight vulnerabilities in the world’s most popular browser. Included in the emergency patch is the fix for the IE hole that was exploited in the China-based cyber assault, Operation Aurora, on Google and a collection of other U.S. companies.
Rated critical by the Microsoft Security Bulletin MS10-002, the Cumulative Security Update for Internet Explorer is for all supported releases of including IE 5, 6, 7, and 8. The security update fixes the vulnerabilities by changing the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.
According to Symantec Corporation, the world’s largest security software maker, additional hackers have started to exploit the IE flaw as reported by Reuters. Security researcher, John Harrison, stated that the company had discovered viruses that exploit the Microsoft browser in approximately 100 Web sites. These viruses are treacherous as they can infect a computer of users who visit the contaminated sites. The most severe effect would permit the offending hackers remote control of a computer through the Web sites while browsing.
Microsoft recommends that the patch be applied as soon as possible. Customers who do not have automatic updating configured on their machines will need to check for updates and manually install them. To manually download the IE patch, see Microsoft’s Security Bulletin MS10-002 under Affected and Non-Affected Software.
For customers who have enabled automatic updating, the patch will be downloaded and installed on their computers automatically. To determine if your PC has automatic updating, please see: Windows Update: Automatic Update.
To turn on Automatic Updates on Windows, Microsoft’s directions state:
- Click Start, and then click Control Panel.
- Depending on which Control Panel view you use, Classic or Category, do one of the following: 1. Click System, and then click the Automatic Updates tab. 2. Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
- Click the option that you want. Make sure Automatic Updates is not turned off.
George Stathakopoulos, Microsoft’s general manager, Trustworthy Computing Security, explained in a blog post on January 17 that the “The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6.” He reiterates Microsoft’s recommendation that customers using Internet Explorer 6 or 7, upgrade to the security enhanced Internet Explorer 8.
Microsoft’s combined versions of Internet Explorer accounted for over 62% of the world’s Internet users according to Market Share by Net Applications in December 2009. Internet Explorer 6 was still the number one browser with 20.99%, IE 8 came in second at 20.86% and IE 7 came in fourth place with 15.53%.