Microsoft has issued a stopgap fix to shore up a critical security hole in older versions of its Internet Explorer browser. Meanwhile, exploit code showing would-be attackers how to use the flaw to break into vulnerable systems is being circulated online.
Microsoft warned last week that it was aware of public reports that criminal hackers were using the vulnerability — present in IE 6 and IE 7 — in limited attacks. A few days later, a security researcher put together a working exploit for the flaw, based on a snippet of code he said he found referenced on a McAfee blog post (McAfee says it will be closely reviewing future blog posts to make sure they don’t inadvertently help the bad guys).
Redmond is still working on an official update to plug this security hole, but in the meantime it has released another “fix-it” tool that should allow Windows users to disable the vulnerability at issue. To use this tool, click the “Fix It” icon under the “Enable this fix” heading at this link. Microsoft also has a “fix it” tool to help IE6 and IE7 users turn on a feature called data execution prevention (DEP), which can help Windows block certain types of common but harmful software exploits. To enable the DEP, click the “Fix it” icon under the heading “Enable Application Compatibility Database” at this link.
Note that if you are already running IE8 on Windows XP Service Pack or a newer version of Windows, DEP is already enabled (and you don’t have to worry about this particular IE vulnerability). If the “Fix it” tools cause any problems on your system, you can undo the changes by clicking the relevant “Disable this fix” icons.
In other news, Apple has pushed out a new version of its Safari Web browser that includes some important security patches. Updates are available for both Mac and Windows versions of the software. Windows users can grab the update through the Apple Software Update tool, while Mac users can patch via Software Update.