Microsoft has issued an emergency security update to plug a critical hole in its Internet Explorer Web browser. The IE bug is the same flaw that is being blamed in part for fueling a spate of recent break-ins at Fortune 100 companies, including Google and Adobe.
If you use Microsoft Windows, please take a moment now to update your computer. Updates are available for all supported versions of IE and Windows. The easiest way to install the patch is through Windows Update. Users who have Automatic Updates turned on may be prompted to download and apply this within the next 48 hours or so, but honestly this is the kind of bug you probably want to quash as soon as possible.
The reason is that this is a browse-to-a-hostile-site-and-quickly-have-a-bad-day kind of flaw. What’s more, Symantec is now reporting that it has discovered hundreds of malicious and/or hacked Web sites are now serving up code that exploits this flaw to download malicious software. While many of these sites are in China, that fact matters little because hackers can always stitch code into a hacked, legitimate site that quietly and invisibly pulls down exploits from other sites. Meanwhile, security firm Websense warns that the targeted e-mail attacks leveraging this flaw continue unabated.
When computer code that exploits this IE flaw was first posted online last week, Microsoft was quick to point out that it had only seen the code working reliably against IE6 users. However, researchers now claim that the exploit can also be made to work against IE7 and even IE8 — the latest version of IE that ships with Windows 7 systems.
The fixes included in this patch aren’t limited to the publicly disclosed flaw: Microsoft has addressed seven other vulnerabilities in this patch as well. More details about this specific update are available at this Microsoft Technet page.