Analysis: Microsoft's eight-day Internet Explorer fix

The critical vulnerability exposed in Microsoft's Internet Explorer web browser this week was a big enough story to hit the front pages of papers including The Daily Telegraph, The Guardian and even the Metro.

It was a flaw that affected two million users and 10,000 web sites. It was also so serious that it forced a patch to be released out of Microsoft's usual monthly Patch Tuesday cycle.

It all started last week when reports came out that a vulnerability in Internet Explorer 7 was being exploited by hackers.

Initially it wasn’t considered serious, and Microsoft was only aware of limited attacks that attempted to use the exploit.

But then the vulnerability spread to earlier versions of IE, including the new beta of IE 8, and fast became a more serious proposition.

Malware writers had been extremely quick to pounce on the zero-day exploit and proceeded to mount mass SQL injection attacks, creating malicious links on legitimate sites.

Anybody using these compromised sites would then proceed to download Trojans, usually via a drive-by download that happens without the knowledge of the user.

Gerhard Eschelbeck, chief technology officer of Webroot, said that malware and the way cybercriminals operate had changed significantly, and users needed to be aware of the new breed of threat.

He said: “While first generation attacks were geared towards operating system vulnerabilities, we see more than 90 per cent of modern malware targeting the browser directly.”

Admirably, bloggers at the Microsoft Malware Protection Centre were honest in their appraisal of the vulnerability.

Ziv Mador and Tareq Saade said that roughly 0.2 per cent of users worldwide would have been affected: “That percentage may seem low, however it still means a significant number of users had been affected.”

Microsoft stopped short of advising users to stop using its Internet Explorer browser, but many security experts said that the best option was to turn to Firefox or Chrome until the patch was deployed.

Sophos security expert Graham Cluley said that switching the browser which could be used for all employees in a company wasn’t an option. He also said that users also had to realise that all browsers had vulnerabilities and were at risk of exploitation.

“There’s no such thing as a 100 per cent flaw-free web browser. To reduce the risks you need to change your surfing behaviour, and ensure that your systems are properly protected with up-to-date anti-virus software, patches and firewalls."

Microsoft has taken eight days to offer a patch which it said would protect users from the malicious attacks. In a statement it said: “Like a vaccine developed to fight a virus, this security update will protect computers only if it is installed.

Christopher Budd, a security response communications lead at Microsoft, told the BBC that the company had to mobilise security engineering teams worldwide to offer the patch, which consisted of 300 distinct updates to Internet Explorer in around 50 languages.

Email to a friend

Print this page