in brief Microsoft has released a critical security patch to plug vulnerabilities in Internet Explorer, a move that comes amid malicious attackers taking advantage of the security flaws.
The patch is designed to prevent attackers from downloading malware onto users' computers if they visit a malicious web site, or a legitimate Web site that has been infected.
This zero-day exploit has been in circulation since the first week of December and potentially could have infected a wide swath of users. The vulnerabilities are found in not only IE 7, Microsoft's latest browser, but also Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 6 Service Pack 1.
This is the second time in 18 months that Microsoft has gone out of band to release an emergency patch (last time being October for the RPC issue) for the Internet Explorer, which is being actively exploited right now. There has been Proof of Concept (POC) code for the exploit available since December 11th. Coming just the week before christmas and given the wide use of IE within business enterprises and severity of the vulnerability, clearly IT professionals need to patch this vulnerability as soon as business conditions permit. There were over 100 websites on the Dec 11th hosting some type of malware associated with this vulnerability. Today, that has grown to thousands of sites now hosting the malware.
Microsoft felt this issue warranted an out of band patch due to the underlying exploit being actively used in the wild and damage was mounting. Their are reports of up to 6000 compromised web sites hosting web pages that take advantage of the vulnerability.
A recent study titled “Understanding the Web browser Threat: Examination of Vulnerable Online Web browser Populations and the Insecurity Iceberg" found that 57% of IE users were not running the most current version that’s patched. This will be a wake up call to IT professionals to make sure to patch their browsers. This speaks volumes to the underlying problem with web-borne malware. We as a community are constantly trying to outsmart the bad guys on their delivery method. However, it is not necessarily a delivery / obfuscation issue – the underlying issue is a failure to patch, including their browsers. A recent Verizon study showed that over 70% the exploits used in web-borne malware had vendor patches available for up to a year and less then 1% had patches available within a 30 day window. The web-borne malware issue is a patch management issue and can be simply fixed by patching in a timely fashion according to industry best practices.