The software maker offered a work-around earlier this month and had promised in recent days that a comprehensive fix would be coming soon. Microsoft has also worked with law enforcement to shut down the Russian server that had been the source of malicious code.
The new patch, which is available from Microsoft's security Web site, closes the hole, and Microsoft encouraged all IE users to update their browsers. Technically, the flaw is what's known as a cross-domain vulnerability, through which an attacker is able to cross a security boundary within the browser to deliver and execute malicious code.
Microsoft security program manager Stephen Toulouse said that the company was already working on an Internet Explorer update when it became aware in late June that the vulnerability was being exploited. "Once we became aware of the specific attack on our customers, that's when we began to mobilise," Toulouse said, pointing to the company's work with law enforcement and Internet service providers.
The patch also addresses two other publicly known flaws in IE, both related to image processing and both rated as critical because they could allow malicious code to be run on a vulnerable system.
Toulouse said the company does not know of any attacks related to these two flaws, but he added, "We want to make sure that customers have this update so they are protected."
Security company Symantec encouraged Web surfers to apply the patch.
"With the widespread use of Microsoft Internet Explorer in both the enterprise and consumer environments, it is critical that security patches be applied immediately," Alfred Huger, senior director of Symantec Security Response, said in a statement.
Some have said that IE vulnerabilities have become so common that Web surfers should consider other browsers.
Toulouse noted that the company has improved IE in the forthcoming Windows XP Service Pack 2, adding that those running that version of the operating system were not vulnerable to the attack because of changes the company made to the internal structure of the browser.
It took them _how_ long to patch this critical hole? A MONTH? You're kidding me?
Mozilla on Windows has a shell explout hole last month. It took them ONE DAY to fix it and release a patch.
Open Source == Faster Turnaround on Security fixes.
And don't let Microsoft tell you that they have to 'test' their patches. So does Mozilla. And they have to test them on more than just Windows platforms, too.