SAN FRANCISCO — Microsoft issued a fix on
Thursday for a security flaw in Internet Explorer that led the
Department of Homeland Security to suggest users change browsers until
the problem was solved.
The fix updates the computers of all users of the Windows
operating system who have automatic updates turned on, the company said
on its security response page.
For
those that don't have the updates enabled, "now is the time," wrote
Dustin Childs, with the response communications team at Microsoft.
To turn it on, users should click on the "Check for Updates" button on the Windows Update portion of the Control Panel.
"For those manually updating, we strongly encourage you to apply this update as quickly as possible
following the directions in the released security bulletin," Childs said.
The
fix is surprising because it also includes code for the Windows XP
operating system, which Microsoft officially stopped supporting on April
8.
Because
the security flaw came to light so close to the end of Microsoft
support of the still-popular operating system, the decision was made to
aid consumers, said Adrienne Hall, general manager with the company's
Trustworthy Computing section.
"Of
course, we're proud that so many people loved Windows XP, but the
reality is that the threats we face today from a security standpoint
have really outpaced the ability to protect those customers using an
operating system that dates back over a decade," she said.
"This
is why we've been encouraging Windows XP customers to upgrade to a
modern, more secure operating system like Windows 7 or Windows 8.1," she
said.
The
Internet Explorer security flaw allows hackers to get around security
protections in the Windows operating system. A computer can then be
infected when the user visits
a compromised website.
The
security update was pushed out to consumers' computers through a
function in the Windows operating system called Windows Update.
The fix is coming outside of Microsoft's usual monthly security update cycle, said Hall.
"The
security of our products is something we take incredibly seriously, so
the news coverage of the last few days about a vulnerability in Internet
Explorer has been tough for our customers
and for us," she wrote on a Microsoft tech blog.
"This
means that when we saw the first reports about this vulnerability we
said fix it, fix it fast, and fix it for all our customers. So we did."
That's a big deal, said
Trey Ford, a strategist with Rapid7, a Boston-based computer security firm.
"Major
vendors like Microsoft, Oracle, Adobe and others have highly structured
software-testing workflows that are expensive in terms of time and
resources," he said. "To interrupt a scheduled development cycle for an
emergency patch, or 'out of band' release, is a noteworthy event, where a
vendor is placing the public good ahead of their development and
delivery life cycle."
The
security flaw was first publicized on Saturday by FireEye, a Milpitas,
Calif.-based computer security company. They observed a known hacking
group launching
"spearfishing attacks" against some of their customers, said Darien
Kindlund, director of threat research.
Someone
within the targeted company would get an e-mail with a link to a
website the attackers controlled (the spear thrown to the fish.) "The
victim would click on the link, and simply by going to the page, their
system would be compromised," Kindlund said.
The
attacks appeared to have been mainly done for industrial espionage,
targeting intellectual property or corporate secrets, Kindlund said.
Because of that, it appears the group wasn't interested in the computers of regular consumers.
However,
in many such cases, the computer code necessary to carry out the attack
is dispersed relatively quickly to less sophisticated groups simply
looking to steal credit card information.
Because Microsoft released its patch so quickly, that doesn't appear to have had time to happen, Kindlund said.
No comments:
Post a Comment