Microsoft has just released a fix for a severe vulnerability in its popular web browser, Internet Explorer. The hole was the weak link in IE that allowed the recent "sophisticated and targeted" cyber attacks on Google in China.

Web Traffic Services

Whilst the attacks in China only affected the (now ancient) IE6 version, other versions of IE are also vulnerable and should also be patched or updated immediately. Microsoft recommends that customers install the update as soon as possible or update to the latest version of the web browser for "improved security".

Microsoft normally issues patches monthly, and a patch for this particular hole wasn't' scheduled for release until February 2010. Microsoft has admitted it has known of the vulnerability "since early September" 2009,  but the high-profile nature of the attacks, and public warnings released by the French and German governments urging their citizens to switch browsers until it was fixed, has led it to act more quickly.

The patch - MS10-002 - was released worldwide (Thurs 21 January 2010) at 1000 PST (1800 GMT).

Best Web Hosting

"It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities," the firm said.

"Once applied, customers are protected against the known attacks that have been widely publicised."

The new patch is available via the Microsoft Update web site and will also be fed out to those who have their machines set to update automatically. All versions of Internet Explorer will receive the update.

Malicious code exploiting the weakness is known to be circulating on the web, and it can be used to compromise web sites. If a web user visits a compromised site using a vulnerable browser, they can become infected with a "Trojan horse", allowing a hacker to then take control of the computer and potentially steal sensitive information.

In addition, the current vulnerabilities in IE may affect other software on the user's machines:

"...there are other applications that may use mshtml.dll as a rendering engine and if those applications allow active scripting, they can be used as an attack vector. Customers who install today’s update are NOT vulnerable and are protected from all known attack vectors. These (other) applications are NOT vulnerable and no security updates are needed for them. Installing today’s Internet Explorer update addresses the vulnerability across all applications".

Related Links:

Microsoft Security Advisory - Bulletin MS10-002 Released

Windows Downloads

Internet Explorer 8

Microsoft Download Center