Microsoft races to patch IE6 and IE7
Yet another security vulnerability was discovered in these older browsers and Microsoft is working hard to fix the vulnerability. An Israeli security researcher discovered the problem and posted exploit code that would allow others to essentially take over computers running IE6 and IE7. As with the recent batch of security vulnerabilities, IE8 is not affected.
According to CNET, Moshe Ben Abu, an Israeli security researcher, posted the exploit code based on information that he got from a McAfee blog. His release of the code makes a zero-day attack much more likely to occur. Asked how serious the zero-day hole is, he wrote in an e-mail to CNET:
The exploit covers Internet Explorer versions 6 and 7, which are not the latest version [IE 8] but many users still use it. In addition, the exploit is quite unstable, with about 60 percent to 70 percent success rate. So I guess it is critical, but not for users who update their Windows with the latest IE.
Microsoft has been urging users of IE6 and IE7 to switch to IE8 because it is a more secure browser but many people running older computers and operating systems are still using one of the older versions of Internet Explorer.
Microsoft has published an updated Security Advisory 981374. Two workarounds have also been posted two Fix It Solutions, one for IE6 and one for IE7. Still providing a final patch for the vulnerability will take time and quite a bit of testing. Jerry Bryant, Sr. Security Communications Manager Lead, posted the following on Microsoft’s Security Response Center (MSRC):
We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications.
Normally patches are issued on “Patch Tuesday” once a month. Patch Tuesday for March occurred this past week on March 9 and the next one isn’t expected for another month. With the exploit code already in the wild, Microsoft would do well to patch quickly. Customers will be anxious to plug the vulnerability as soon a possible. But we will have to see how quickly Microsoft can produce and test a viable patch. It may take a month before the company can even produce a fully tested fix.
Related Posts:
March 15th, 2010
“Microsoft has been urging users of IE6 and IE7 to switch to IE8 because it is a more secure browser but many people running older computers and operating systems are still using one of the older versions of Internet Explorer. ”
This problem becomes orders of magnitude smaller if corporate IT departments get their IE-6 specific apps up to date and push IE-8 to their users. Until that happens this is just going to keep happening and no amount of doom and gloom from Microsoft or anyone else is going to fix it since the vast majority of people running IE-6 are running it because they have no choice!