Less than 24 hours after Microsoft acknowledged the existence of an unpatched, critical flaw in all versions of its Internet Explorer Web browser, computer code that can be used to exploit the flaw has been posted online.
This was bound to happen, as dozens of researchers were poring over malicious code samples that exploited the flaw, which has generated more interest and buzz than perhaps any other vulnerability in recent memory. The reason? Anti-virus makers and security experts say this was the same flaw and exploit that was used in a series of sophisticated, targeted attacks against Google, Adobe and a slew of other major corporations, in what is being called a massive campaign by Chinese hacking groups to hoover up source code and other proprietary information from these companies.
Microsoft said it will continue monitoring this situation and take appropriate action to protect its customers, including releasing an out-of-band patch to address the threat. Typically, Microsoft issues patches on the second Tuesday of the month (a.k.a. “Patch Tuesday), but due to the seriousness of this threat and the sheer number of companies that have apparently already been hacked because of it, Microsoft is likely to push out an update before the end of the month. In fact, I would not be surprised to see a fix for this within the next 7 to 10 days.
In the meantime, Redmond is urging IE users to upgrade to the latest version, IE8, which the company touts as its most secure version of the browser. Still, even IE is still vulnerable, and this is a browse-to-a-nasty-site-and-get-owned kind of vulnerability. As such, Internet users will be far more secure surfing the Web with an alternative browser (at least until Microsoft fixes this problem), such as Google Chrome, Mozilla Firefox, Opera, or Apple‘s Safari for Windows.