Microsoft Prepares Emergency IE Patch

By Craig Buckler

IE patchFollowing recommendations from the French and German governments that users should switch from Internet Explorer, Microsoft has decided to release an emergency browser patch before the next scheduled update on February 9, 2010.

The IE flaw was identified as one of the primary targets of the recent attacks on Google’s GMail and other systems which originated in China. The attack, known as “Aurora,” caused several governments and security companies to issue warnings about IE and recommend users switched browsers until Microsoft produced a patch. (Although some took a more cautious approach stating that attacks were rare and switching browsers might give users a false sense of security.)

Microsoft continue to deny there is a significant problem, but they cannot really win in this situation. By not issuing a fix, the publicity would make people question IE’s security and could prompt businesses and individuals to abandon the browser. By issuing the patch ahead of normal release schedules, Microsoft appears to be admitting that the flaw is as serious as reported.

The Microsoft Security Response Center statement includes:

Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability.

In my opinion, it doesn’t matter whether the security problem is minor or difficult to exploit. You can guarantee programmers and hackers across the world are investigating the flaw because of the publicity which surrounds it. Microsoft is doing the right thing and the patch will be issued once it’s passed the company’s testing procedures.

Many will argue that IE should never have had the flaw in the first place or that it should have been fixed at some point within the past decade. All those who produce perfect bug-free code may mock Microsoft now!…

  • ChromeSuck

    Why Google is hack… with IE !!! It’s just a campaign to shut down IE and promote Chrome, is’t it ?

  • Not exactly. As far as I’m aware, the IE security flaw was exploited to gain access to Google’s systems. That said, the publicity has been great for Google but not for Microsoft.

  • Patch released: KB978207

  • Uncle Albert

    All those who produce perfect bug-free code may mock Microsoft now!…

    Ummm, yeah right. I don’t work for a company that has thousands of programmers available to proof my code. Microsoft’s integration of browser and operating system is and has always been — at best — a double-edged sword.

  • W2ttsy

    i think the real problem here is not so much that IE is a buggy app (because it is), but Microsofts unwillingness to patch stuff quickly. Craig mentions at the end that all people that produce bug free code have the right to mock (glasshouses and stones, etc). I agree to an extent, but at the same time, even companies that do release buggy code have an opportunity to fix that bad rep by frequently updating their production code base or issuing a patch immediately.
    IIRC, upon identification of the Safari exploit via quicktime, Apple released a working patch that evening. Why isnt MS doing the same? when flaws of this magnitude are found in an app, it shouldnt be the risk of looking bad because of a faulty app that holds the company back, it should be the positive publicity that comes out of fixing the bug fast and getting it out there…

    Of course it doesnt help that alot of the affected users will be people stuck with IE6 due to hacked or pirated copies of windows… Hopefully MS won’t cripple the update to only work on legit copies of Windows….

Get the latest in Front-end, once a week, for free.