Network News

X My Profile
View More Activity

Microsoft: Emergency Patch for IE Flaw Coming Wednesday

Microsoft is signaling that it plans to ship an emergency software update on Wednesday to fix a dangerous security hole in its Internet Explorer Web browser that thousands of compromised Web sites have been using to install malicious software.

Microsoft says the critical flaw is present in all versions of IE, from IE5 all the way up through IE8 Beta 2. In an unusually frank blog post, the company estimated that about 0.2 percent of Windows users worldwide may have been exposed to Web sites containing exploits that try to attack this vulnerability.

While one in every 500 IE users may not sound like a large number, Microsoft said the frequency of attacks is increasing dramatically.

"That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday," wrote Microsoft's Ziv Mador and Tareq Saade.

In a blog post on Dec. 13, security firm Trend Micro said it found evidence that at least 6,000 Web sites had been hacked and seeded with code designed to install password-stealing software when vulnerable users visit the sites with IE. And that was three days ago.

This would be the second time this year that Microsoft will have broken out of its monthly patch cycle to address a pressing security problem. In October, Redmond issued an out-of-band release to fix a critical flaw in Windows.

Microsoft usually issues patches on the second Tuesday of each month, but signs that hackers were exploiting an unpatched flaw in all versions of IE showed up the day after this month's Patch Tuesday. Sometimes known as "Exploit Wednesday," attackers have begun using this day for exploitation as it gives them the longest lead time until Microsoft gets around to fixing it, unless the company issues an out-of-band update.

Security Fix will have more information on Wednesday, after Microsoft releases the update. Stay tuned.

By Brian Krebs  |  December 16, 2008; 3:55 PM ET
Categories:  Fraud , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Apple Patches 21 Security Flaws
Next: Google Ads Lead to Phony Apps

Comments

I am SO glad that Microsoft stopped supporting Macs with IE. I'll tell it to all who'll listen: Bless those who disappoint you, for they're leading you toward a better path.

Posted by: watchbird1 | December 16, 2008 5:01 PM | Report abuse

Not really an issue for those of us who use firefox. If I could uninstall the virus, popup, advertising magnet called IE I would have along time ago.

Posted by: richcranium34 | December 16, 2008 5:18 PM | Report abuse

It took something like this incident to make me finally download and use Firefox, and ya know what? I'll probably never go back to IE!

Posted by: ohalvey | December 16, 2008 5:46 PM | Report abuse

Firefox works well for me also and I use it most of the time. I keep IE for the rare site that does not play well with Firefox.

Posted by: Bitter_Bill | December 16, 2008 5:53 PM | Report abuse

I use firefox with a google home page. I only use IE when firefox does not work because a site requires IE.

Microsoft is stupid. They could have beat google if they had a home search page that is not full of advertisements, etc. Google is popular because many people still actually use dial-up and it takes forever to load pages that are full of advertisements. Google beat that crap by making their home search page load as quickly as possible. Google is also a fast search engine because it searches for a category rather than a word. Only a few search engines have home pages that are not full of advertisements. Google is blowing it now, however, because they permit advertisers to pay so that their site is listed when people search for categories that may be related to the word(s) they are looking for.

I can't wait for the day when they make an entire new Internet and e-mail that is completely protected from spam and advertisements (especially porn). The Internet and e-mail was initially never intended to be used for advertising.

Posted by: maphound | December 16, 2008 6:11 PM | Report abuse

Microsoft screws up at the same rate the GOP screws up. Don't trust either of them.

Posted by: nick4 | December 16, 2008 6:34 PM | Report abuse

The irony is that we have to use IE to download the myriad security updates from Microsoft.

We use Opera as a backup to Firefox, and it seems to work well.

Posted by: Heron | December 16, 2008 6:44 PM | Report abuse

So, as the Rev Jerimiah Wright would say,
"It looks like Micro Soft's chickens are all coming home to roost" here. And I add
that's what cheapskate Bill Gates and his
greed and use of all those H 1 B visa
yo yo's from India and all Gate's damn
outsourcing is coming back to haunt him,
as Micro Soft was far too slow in fixing
this one and Micro Soft product keep on
becoming an ever poorer quality all the
time. Its too bad the Fed's didn't break
Micro Soft up into several smaller companies not under greedy Bill Gates
thumb. Hey why not band together and file
a class action law suit against Micro Soft
for consumer fraud? Shape up or Ship out
here you incompetent Micro Soft Losers.

Posted by: Marilyn80 | December 16, 2008 6:46 PM | Report abuse

Is IE exploited because it's the big dog or because it's, compared to Opera/Firefox .., poorly coded or fundamentally flawed?

If the prior, doesn't this mean all the other browsers turn is coming?

Posted by: tslats | December 16, 2008 6:50 PM | Report abuse

It's incomprehensible why anyone would still be using MS IE when Mozilla offers Firefox as a free download.

Going back to MS/IE (which seems to stand for 'Must Stabilize/Inherently Erratic') is out of the question once you've tried Firefox and discovered that you don't have to suffer the instability, slowness and tidal wave of advertising that plagues Bill Gates' perpetually flawed and failed excuse for a browser.

Posted by: pali2500 | December 16, 2008 7:21 PM | Report abuse

@tslats, Probably a bit of both. Certainly IE is more widely used, and therefore more profitable to corrupt. But it is a powerful irony that Firefox, being open-source, lays out all its details for everyone, including the bad guys, to inspect and do with as they will. If they can't subvert Firefox as often as they subvert IE, despite having a complete roadmap to Firefox, perhaps Firefox really is well programmed.

Posted by: amturnip | December 16, 2008 8:39 PM | Report abuse

you know - I read in a national periodical -The Washington Post at the
end of last week that China had " inadvertently " released the information that made this flaw much more disseminated than the population who were already aware of it. China then stated in effect " my Bad " , and that was the last I read about it .
This problem is announced by others as usual after it becomes a Major threat and problem. Once again microsoft's corporate concern over their original intentions.
The question becomes in reflection that around 5 years ago in Time magazine there was a report of Chinas success in infiltrating a great number of gov''t and infrastructure computer systems as well as many corporate sites. In the best interest of all involved , might Microsoft possibly investigate as well whether or not the people and hooligans- unbeknownst to them played host to some method of future access to a vast array of computer which might allow China to access and power up through the net or web any type of offensive given the state of things now.
I am NOT a conspiricist or paranoid. I do feel that this would seem the perfect opportunity to emplace a "sleeper " back door on an unconscienable ampunt of computers .
On the flaw , I spend quite a bit of time keeping my computer clean for my sake and my family's, and again , in the investment of time and money , Microsoft comes last in their concern for the user .
I only hope that they are able to secure a means to repair the flaw.

Posted by: oidsci | December 16, 2008 10:14 PM | Report abuse

People, please start using Firefox, is a so much better browser, and more secure ^_^ I only use IE with rare sites that require IE in order for them to work.

Posted by: esilvaz5 | December 16, 2008 11:50 PM | Report abuse

The patch has hit Microsoft Update. Thanks for all the great info., Brian.

Posted by: tpfm | December 17, 2008 2:12 PM | Report abuse

The out-of-band patch is now available via the Windows Update feature in Internet Explorer or directly at

http://www.microsoft.com/protect/computer/updates/bulletins/200812_oob.mspx

Posted by: AlexBlackwell | December 17, 2008 2:14 PM | Report abuse

Strange - I used Firefox 3.0.5 to download the Microsoft Explorer update and it worked - right down to the reboot and all seems updated from this end. I have never been able to do that!

Posted by: cutting1 | December 17, 2008 4:11 PM | Report abuse

I used Windows update to install this patch in IE. Immediately after the installation both Firefox and Opera stopped working on my Vista system laptop. Both cannot find an Internet connection. However, IE works just fine. I reinstalled Firefox and Opera and the same thing happens; neither works. What are those rats at Microsoft trying to do???

Posted by: Stewie1 | December 18, 2008 3:06 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company