Microsoft releases fix for critical Internet Explorer bug

USPA News - Microsoft released a security update for Internet Explorer on Thursday to fix a recently-discovered vulnerability that allowed attackers to take complete control of a computer, but the technology giant said there had been only a "very small number" of attacks. The vulnerability - affecting Internet Explorer 6 through 11 on Windows systems - was first disclosed by network security company FireEye on Saturday, after which the U.S. government recommended users to avoid using the browser until a fix was made public.

FireEye said hackers were "actively" exploiting the vulnerability though the extent remains unclear. Attackers were able to exploit the vulnerability by creating a website to execute remote code, allowing the attacker to gain access to computers with the same user rights as the victim. If the victim was logged on with administrative user rights, the attacker would then have complete control of the affected system, allowing him to install programs and to view, change, or delete personal data. A security update to address the vulnerability was released on Thursday afternoon. "Customers are advised to install this update promptly," said Dustin Childs, group manager of response communications at Microsoft`s Trustworthy Computing division. "The majority of our customers have automatic updates enabled and so will not need to take any action as protections will be downloaded and installed automatically." The security update was also made available to those still using Windows XP, even though Microsoft dropped support for the outdated operating system last month. "We made this exception based on the proximity to the end of support for Windows XP," said Adrienne Hall, general manager of Trustworthy Computing. Hall said the technology giant acted quickly when it first learned about the vulnerability and emphasized that Internet Explorer - which currently has an estimated global market share of 21.4 percent - remains a safe browser. "We said fix it, fix it fast, and fix it for all our customers. So we did," she said. It remained unclear on Thursday how many computers were compromised through the vulnerability, which Microsoft rated as critical for computers running on Windows and as moderate for servers running on Windows. "The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," Hall said. The security update for Windows XP users came as a surprise as Microsoft had warned users for months that they would no longer be protected when new vulnerabilities are discovered, though Hall said users should still upgrade. "Just because this update is out now doesn`t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer," she said.