Microsoft released a fix Wednesday that should protect Internet Explorer users from a zero-day exploit that emerged last week and rapidly evolved into a major attack vector for cybercriminals and hackers.
The vulnerability, rated “critical,” affects Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 SP 1 and Internet Explorer 7. The software maker’s latest release, Internet Explorer 8 Beta 2, is also affected, and Microsoft recommends that beta users also download and apply the update.
The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, the company said.
“Microsoft encourages all IE customers to test and deploy this update as soon as possible,” Microsoft security response communications head Christopher Budd said during a live webcast Wednesday.
“It’s an extremely serious threat, because hackers have been actively exploiting the software vulnerability on thousands of Web sites. Users who have visited these sites from vulnerable computers may find their systems infected, potentially stealing personal information from their PCs,” said Graham Cluely, senior technology consultant at Sophos.
Out-of-Band Security Update
The vulnerability was discovered one day after Microsoft’s most recent Patch Tuesday, its monthly dispatch of software updates and patches. It took eight days for company engineers to research the vulnerability and decide to release a fix before January’s Patch Tuesday.
“Normally, when a vulnerability is exploited, it’s a problem, but at least Microsoft has a fix. In this case, the vulnerability was being exploited, but there was no patch from Microsoft [until Wednesday]. Many people will still not have rolled out the fix. Fortunately, some antivirus companies were already able to defend users’ computers — but the Microsoft patch is the ideal way to permanently fix this security hole in Internet Explorer,” Cluley told TechNewsWorld.
Microsoft took an relatively unusual step and released a so-called out-of-band security update, the second in two months, because the vulnerability was being so widely exploited by hackers. As Internet Explorer is the world’s most-used Internet browser, there was a huge number of potential victims.
“The story of the Internet Explorer bug had hit the mainstream news and was damaging their reputation. Microsoft should actually be congratulated for producing a fix so quickly. Indeed, I suspect that they have done it in less time than it will take many people to install the patch on their own PCs,” Cluley pointed out.
The security update addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.
The mounting number of exploits taking advantage of the security hole, including those that hijacked legitimate sites to use them as a means of attacking visitors, only highlights cybercriminals’ proclivity to wait for opportunities and strike unwary users.
“I don’t think the cybercriminals ever took it easy. They don’t take vacations, they don’t take time off. One thing you can be sure of is that hackers will be continuing to steal money, data, identities and resources from Internet users throughout the holiday season and into 2009,” stated Cluley.
Even if all IE users patch their browsers quickly, there will be other exploits discovered, and criminals will user other tricks — including social engineering — to make their fortunes, he said.
“It would also be very shortsighted for people who don’t use Internet Explorer to feel smug,” Cluely continued.
For example, Apple just published a whopping 190 MB update to OS X which included numerous important security fixes. Opera updated from version 9.62 to 9.63 on Tuesday, also to close some known security holes. Firefox has just notified users of the release of version 3.0.5, fixing what are referred to as “several security issues,” including three considered “critical — vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.”
“One mitigating factor for Firefox and Opera users is that we’re not yet aware of any active exploitation online of those vulnerabilities. Still, best not take the chance. Get those patches downloaded ASAP,” he concluded.