Analysis: Microsoft's eight-day Internet Explorer fix

The critical vulnerability exposed in Microsoft's Internet Explorer web browser this week was a big enough story to hit the front pages of papers including The Daily Telegraph, The Guardian and even the Metro.

It was a flaw that affected two million users and 10,000 web sites. It was also so serious that it forced a patch to be released out of Microsoft's usual monthly Patch Tuesday cycle.

It all started last week when reports came out that a vulnerability in Internet Explorer 7 was being exploited by hackers.

Initially it wasn't considered serious, and Microsoft was only aware of limited attacks that attempted to use the exploit.

But then the vulnerability spread to earlier versions of IE, including the new beta of IE 8, and fast became a more serious proposition.

Malware writers had been extremely quick to pounce on the zero-day exploit and proceeded to mount mass SQL injection attacks, creating malicious links on legitimate sites.

Anybody using these compromised sites would then proceed to download Trojans, usually via a drive-by download that happens without the knowledge of the user.

Gerhard Eschelbeck, chief technology officer of Webroot, said that malware and the way cybercriminals operate had changed significantly, and users needed to be aware of the new breed of threat.

He said: "While first generation attacks were geared towards operating system vulnerabilities, we see more than 90 per cent of modern malware targeting the browser directly."

Admirably, bloggers at the Microsoft Malware Protection Centre were honest in their appraisal of the vulnerability.

Ziv Mador and Tareq Saade said that roughly 0.2 per cent of users worldwide would have been affected: "That percentage may seem low, however it still means a significant number of users had been affected."

Microsoft stopped short of advising users to stop using its Internet Explorer browser, but many security experts said that the best option was to turn to Firefox or Chrome until the patch was deployed.

Sophos security expert Graham Cluley said that switching the browser which could be used for all employees in a company wasn't an option. He also said that users also had to realise that all browsers had vulnerabilities and were at risk of exploitation.

"There's no such thing as a 100 per cent flaw-free web browser. To reduce the risks you need to change your surfing behaviour, and ensure that your systems are properly protected with up-to-date anti-virus software, patches and firewalls."

Microsoft has taken eight days to offer a patch which it said would protect users from the malicious attacks. In a statement it said: "Like a vaccine developed to fight a virus, this security update will protect computers only if it is installed.

Christopher Budd, a security response communications lead at Microsoft, told the BBC that the company had to mobilise security engineering teams worldwide to offer the patch, which consisted of 300 distinct updates to Internet Explorer in around 50 languages.

Users also enquired with anti-virus vendors about the discovered vulnerability and their ability to detect it. However, David Harley, director of malware intelligence at ESET, said that the security problem in this case was not a specific malware program or family, but rather a vulnerability in the application.

He said: "The threat is not from the vulnerability, so much as from the malware that exploits it. There is a great deal of that, right now.

"In principle, "traditional" anti-virus/anti-malware doesn't necessarily detect vulnerabilities in fact, a scanner that detected vulnerabilities as it does blacklisted malware would be rather different to what we're accustomed to."

He said that no reputable anti-malware company was going to ignore a security problem due to it being a problem with somebody else's application. However he warned users that it wasn't safe to trust on anti-malware to fix an application vulnerability, especially with the patch coming out.

He said: "Good patching practice is an essential part of a defence-in-depth strategy."