January 21, 2010

Microsoft has issued an emergency security update to plug a critical hole in its Internet Explorer Web browser. The IE bug is the same flaw that is being blamed in part for fueling a spate of recent break-ins at Fortune 100 companies, including Google and Adobe.

If you use Microsoft Windows, please take a moment now to update your computer. Updates are available for all supported versions of IE and Windows.  The easiest way to install the patch is through Windows Update.  Users who have Automatic Updates turned on may be prompted to download and apply this within the next 48 hours or so, but honestly this is the kind of bug you probably want to quash as soon as possible.

The reason is that this is a browse-to-a-hostile-site-and-quickly-have-a-bad-day kind of flaw. What’s more, Symantec is now reporting that it has discovered hundreds of malicious and/or hacked Web sites are now serving up code that exploits this flaw to download malicious software. While many of these sites are in China, that fact matters little because hackers can always stitch code into a hacked, legitimate site that quietly and invisibly pulls down exploits from other sites. Meanwhile, security firm Websense warns that the targeted e-mail attacks leveraging this flaw continue unabated.

When computer code that exploits this IE flaw was first posted online last week, Microsoft was quick to point out that it had only seen the code working reliably against IE6 users. However, researchers now claim that the exploit can also be made to work against IE7 and even IE8 — the latest version of IE that ships with Windows 7 systems.

The fixes included in this patch aren’t limited to the publicly disclosed flaw: Microsoft has addressed seven other vulnerabilities in this patch as well. More details about this specific update are available at this Microsoft Technet page.


14 thoughts on “Microsoft Issues Emergency Fix for IE Flaw

  1. JBV

    Thank you yet again, Brian. That was a quick and easy download.

  2. CharlieG

    Brian…
    …I’m typing this at 3:50 PM EST Thursday 21st….

    I have “No Important Updates Available” on my Windows Update pane, and the only other category they mention is “Optional”. I use the “Automatic Updates” setting and am using Windows 7 Home Premium.
    Am I just one of a billion or so users just waiting my turn? …or, is this an example of Microsoft’s bureaucracy and have I eluded their sweep?
    Pardon my paranoia, but it seems to me that any change in terminology or vocabulary in this cyber sphere, or any omission may have dire implications.

    ….[ your website becomes more valuable each day…thanks in advance for all that is coming in the future…)

  3. Bob

    My version of IE8 is 8.0.6001.18702.

    Is this the updated version? Come on Microsoft, make it easy for someone to find out the most up-to-date versions. The MS update site does not give versions, just OS types that are vulnerable.

  4. Rick

    You poor, poor people. Here I am, sitting with a computer that hasn’t been hacked in ten years, and hysteria rules in your world again. I concur with Bk that it’s important to get the message out about this update, for we are only as safe and at ease as our weakest link, but I can’t help but laugh.

  5. CharlieG

    >>>Brian,

    ………and readers….

    …Make no mistake…my comment above was not sarcasm. Someone has checked “dislike” against my good faith effort to provide a bit of information, and make an observation.

    Also, I genuinely thank Brian Krebs for his blog here, and for all that he may publish in future…this is indeed a most useful and valuable site.

  6. Kensington

    I clicked on your Windows Update link and received this message:

    “Thank you for your interest in obtaining updates from our site.

    “To use this site, you must be running Microsoft Internet Explorer 5 or later. ”

    Of course I’m using Firefox. Does the message mean I must exit Firefox and open Internet Explorer 8 before I can use their update site? Is there a simple way to obtain the patch without waiting for the automatic update?

    1. BrianKrebs Post author

      Kensington — You need to be using IE to download and install through Windows Update. In Windows Vista and Windows 7 you can update through the Control Panel without explicitly launching IE. There used to be a plugin for firefox that let you do it through that browser, but I’m not sure it’s even still maintained in the current branch, or whether that’s a good idea.

    2. Solo Owl

      In Windows 2000 and XP you will find “Windows Update” or “Microsoft Update” in the Start Menu under All Programs. It opens Internet Explorer to the right place. If you haven’t used it for a while you may have to download or update ActiveX control before you can update.

  7. xAdmin

    Silly Kensington! Of course you must use IE in order to use Windows Update (or the newer Microsoft Update). ;P

    Seriously, you CAN find the download and manually install it by going to the Technet link Brian provided (http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx), scroll down to “Affected and Non-Affected Software”, find your version of IE and OS, and click the link next to it under “Component” (ex. Internet Explorer 8), which will take you to a page to download the exe file. After it downloads, run it (logged in as Administrator of course).

    Or, you can always go to the Microsoft Download Center and search for it:
    http://www.microsoft.com/downloads/en/default.aspx

    But, the best and easiest method to ensure you have ALL critical updates, is to use Windows Update/Microsoft Update. I would highly recommend using the newer Microsoft Update at http://update.microsoft.com/microsoftupdate

  8. Ross

    Fortunately our standard practice is to disable Javascript, Active Scripting and ActiveX on all but a select few websites, meaning we’re not particularly concerned about either this, or nearly every other IE security vulnerability MS have published.

    I think I’ve seen two alerts over the last two years that I’ve actually needed to react quickly to. I’ll install this one in a month or two, after everybody else has tested it out for me 🙂

  9. Charlie G

    Pertinent here is this article in today’s Wall Street Journal…bring up Holman Jenkins Jr.’s “China, Google and the Cloud Wars”. Note particularly the shift in emphasis from “data security” to one of “censorship”. This nasty game also has in the background Yahoo! giving over the name of one of its employees in an earlier mainland Chinese dispute.

    Also stewing in this competitive cauldron is a market of a billion new customers, plus or minus, and, in a culture where preserving “Face”…individually and corporately…..trumps just about everything else, Google has a real tightrope act. Westerners are at a distinctive and inherent disadvantage.

    We’re lucky to have Brian Krebs keeping up with this complicated cat-and-mouse situation for us.

  10. Kensington

    Thank you Brian, Solo Owl, xAdmin, and Doug (Aloha! back to you). Your quick responses helped assure me the aged neophytes out here won’t be completely cut off from help now that Security Fix Live is no more (alas!).

    I ended up using Solo Owl’s method to update last night. It required fewer steps and decisions. But xAdmin’s tip to be logged on as administrator probably saved me some missteps and grief, although I didn’t know if I only needed to be logged on as administrator just to run the downloaded patch, or if I needed administrator rights to download it, too.

    I’m not very comfortable trying to figure out when I need to be in my administrator account. Some antimalware programs, for example, require separate updates in each account (and don’t update the other account), and some allow updates to be made in the admin account only (but update the limited account, too). I tried to make a chart, but gave up. I feel I spend too much time trying to be secure, yet I still fear keystroke loggers!

    1. Solo Owl

      Updating software from a limited account is dicey.

      A good antivirus program should update quietly in the background (at least daily) regardless of your current logon privileges, so no worry here. In Windows XP, every 2 or 3 weeks I log in to my administrator account and click on Microsoft Update. I run Secunia PSI to see if anything else should be updated; I do all the updates from the administrator account. (Except extensions to Firefox &c, which are installed separately for each user.) Then I run several antimalware programs, clean up temp files and other garbage, and optimize my system with MyDefrag. (I can do housework or read paper books while these apps do their things.) Then back to my limited logon for actual use of the system.

      If you don’t know Secunia, Firefox, MyDefrag, &c, search for them in Wikipedia, where you will find links to the official site. This is a good way to avoid fraudulent imitations.

Comments are closed.