Want CNET to notify you of price drops and the latest stories?

Microsoft rushes out critical IE fix

Departing from schedule, the company patches a month-old security hole in the browser software that had spawned attacks.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft published a patch for Internet Explorer on Wednesday, aiming to close a month-old hole that has been used by viruses to spread and by an ad banner attack to compromise PCs.

The vulnerability, dubbed the Internet Explorer Elements flaw by Microsoft, had previously been called the iFrame vulnerability. The issue--which does not affect Microsoft's major Windows XP security update, Service Pack 2--could allow an attacker to take control of a victim's PC, if the user is logged on as an administrator. Most home users tend to log onto Windows as administrators.

A Microsoft representative said the software giant had released the update before its next scheduled patch day, Dec. 7, because it had already been used by malicious software to compromise Windows users' PCs.

"That's one of the things that we factor in--when the customers are affected or there are active attacks," said Stephen Toulouse, security program manager at Microsoft's security response center.

An attacker can use the vulnerability to gain control of a person's computer when the victim clicks on a simple Web link. The attacker would then have complete control of the system, and could install programs, view, modify or delete data and create new accounts.

The patch arrived more than a month after news of the vulnerability was first posted on public security mailing lists. The move garnered criticism from Microsoft, which has led a drive to convince security researchers to give software makers at least 30 days to fix issues before outing the problem in public forums.

The IE flaw underscores that online criminals are all too willing to use the latest vulnerabilities to take illicit control of users' PCs.

Two computer viruses appeared on the Internet in early November, using the vulnerability in Microsoft's browser to infect PCs after their users clicked on a simple Web link. The viruses, called Bofra.A and Bofra.B by antivirus companies, were loosely based on the source code of MyDoom.

In addition, online intruders breached the security of at least one server at advertising host Falk last week and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.

The IE Elements flaw affects PCs with IE version 6 installed, but does not affect computers that have been upgraded to Service Pack 2. The software, the latest version of Windows XP, has been downloaded more than 130 million times, Microsoft's Toulouse said.

The latest update for IE 6 can be downloaded from Microsoft's security site or through Windows Update.