PC World - In an announcement that made big news last month, Google said that it and numerous other companies had been hit by successful hacker attacks. The hacker's means of access: A critical unpatched ("zero-day") hole in Internet Explorer.
Google says it discovered the attack in mid-December. The invasion originated in China, and according to the company, the hackers attempted to break into Gmail accounts and steal information about human rights activists. The IE flaw was exploited to install a Trojan horse that would allow full remote control over a compromised PC.
While the security hole affects IE 6, 7, and 8, the only known attacks were against IE 6. According to Microsoft, security measures (such as Protected Mode for IE 7 and 8, and Data Execution Protection for IE 8) prevented attackers from using this zero-day flaw.
In response to the assault, Microsoft took the unusual step of releasing a fix--which it had already been working on--outside of its normal monthly patch cycle.
The cumulative IE update fixes other serious security holes in addition to the aforementioned zero-day flaw, which can trigger an attack if you view a malicious Web page or poisoned banner ad. The MS10-002 update is rated critical for all supported versions of Internet Explorer, from IE 5 on Windows 2000 through IE 8 on Windows 7. Run Windows Update to make sure that you have picked up the fix.
This latest major attack should prod anyone who has yet to upgrade from IE 6 to take that essential step. The emergency patch will protect against this particular flaw, but it's a safe bet that another hole will be found that causes the now-decrepit browser to throw open the doors of your PC to hackers. If you're stuck using IE 6 at work because of some legacy Website or company program, you might want to use IE only for that old program, and use an alternative browser such as Firefox for your everyday browsing instead.
A Ho-Hum Update for Most
Microsoft's regular Patch Tuesday in January included only one patch, shoring up a flaw with Embedded OpenType fonts that was rated critical only for Windows 2000. Without the MS01-001 update, a vulnerable Windows 2000 system could be taken over by a successful attack, so if you have Win 2000, run Windows Update to be certain that you've nabbed this patch as well. But this is a low-priority fix for all other supported versions of Windows.
Adobe Fixes Own Zero-Day Flaw
Adobe released an essential fix for its Reader and Acrobat programs on the same day as Microsoft's regular monthly patch. Pretty much everyone will need to check that they have the Adobe Reader and Acrobat 9.3 update. It shores up a security hole that had been exploited by malicious .pdf files since December, and it is required for version 9.2 (or earlier) of both programs on Windows, Linux, and Mac systems.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
