Sep 19, 2013

    Emergency patch for Microsoft Web browser

    MICROSOFT released an emergency software fix for Internet Explorer on Tuesday, after hackers exploited a security flaw in the popular Web browser to attack an unknown number of users.

    The software maker said on its website that it released the patch, known as a "Fix It", as an emergency measure to protect customers after learning about "extremely limited, targeted attacks" that made use of the newly discovered bug.

    It said the attacks took advantage of an undiscovered flaw, or "zero-day" vulnerability in industry parlance.

    Some hacking groups are willing to pay hundreds of thousands of dollars for zero-day vulnerabilities in widely used software such as Internet Explorer, according to security experts who track that market.

    The hackers typically use them on small numbers of carefully selected, high-value targets, to keep such flaws secret.

    Once Microsoft issues a warning about a zero-day bug, other groups of hackers involved in massive cybercrime operations, such as identity theft, rush to reverse-engineer the Fix Its so that they can create computer viruses that exploit the same vulnerabilities.

    Security experts said Internet Explorer users should either install the Fix It immediately or stop using the browser until Microsoft can put out an update, which will be installed automatically through its Windows Update program.

    "With the Fix It out, I'm sure any attacker who is a bit sophisticated can figure out what the flaw is and implement a similar exploit in their own attack toolkit," said Mr Wolfgang Kandek, chief technology officer with cybersecurity firm Qualys.

    He expects Microsoft to push out an update to address the issue within two to three weeks.