Microsoft issues emergency IE patch

Computerworld - Microsoft Corp. last week issued an emergency patch to plug a critical hole in Internet Explorer that attackers have been increasingly exploiting from hacked Web sites.

The update was the second emergency patch issued by Microsoft in the past three months.

The latest patch fixes a flaw in the data-binding function in all versions of the company's popular browser. Microsoft labeled the bug "critical," the most serious ranking in its four-level threat-scoring system.

Andrew Storms, director of security operations at nCircle Network Security Inc., said Microsoft executed the emergency release well. "This was a classic case of what we would like to happen," Storms said. "Microsoft acknowledged the fault, issued work-arounds, gave us advance notice that it would patch and then released the patch."

Microsoft first acknowledged the vulnerability on Dec. 10, a day after it unleashed its biggest set of scheduled security updates in more than five years.

According to Microsoft and several security firms, attacks on IE increased quickly after the disclosure, as hackers hijacked legitimate Web sites and launched exploits against unwary visitors. Microsoft said it observed a "huge increase" in attacks on Dec. 13.

Wolfgang Kandek, chief technology officer at Qualys Inc., suggested that users apply the patch immediately. Corporate users "should be able to roll it out with your normal patch process," said Kandek. "Fixes for Word, PowerPoint and especially IE, you should be able to [deploy] quickly without much testing."

The patch is available for users of Windows 2000, XP, Vista, Server 2003 and Server 2008 and can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

This version of the story originally appeared in Computerworld's print edition.

Got something to add? Let us know in the article comments.

Read more about security in Computerworld's Security Knowledge Center.