Following recommendations from the French and German governments that users should switch from Internet Explorer, Microsoft has decided to release an emergency browser patch before the next scheduled update on February 9, 2010.
The IE flaw was identified as one of the primary targets of the recent attacks on Google’s GMail and other systems which originated in China. The attack, known as “Aurora,” caused several governments and security companies to issue warnings about IE and recommend users switched browsers until Microsoft produced a patch. (Although some took a more cautious approach stating that attacks were rare and switching browsers might give users a false sense of security.)
Microsoft continue to deny there is a significant problem, but they cannot really win in this situation. By not issuing a fix, the publicity would make people question IE’s security and could prompt businesses and individuals to abandon the browser. By issuing the patch ahead of normal release schedules, Microsoft appears to be admitting that the flaw is as serious as reported.
The Microsoft Security Response Center statement includes:
Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.
In my opinion, it doesn’t matter whether the security problem is minor or difficult to exploit. You can guarantee programmers and hackers across the world are investigating the flaw because of the publicity which surrounds it. Microsoft is doing the right thing and the patch will be issued once it’s passed the company’s testing procedures.
Many will argue that IE should never have had the flaw in the first place or that it should have been fixed at some point within the past decade. All those who produce perfect bug-free code may mock Microsoft now!…