Jump to content

if you use IE you need to read this immediately!!!


Recommended Posts


More From PCWorld.com »

Microsoft Issues Emergency Security Patch For IE

Microsoft is issuing an emergency patch for a critical Internet Explorer flaw.

Microsoft will issue an emergency security patch Wednesday for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected.

An advance notification of the patch published Tuesday describes it as protection for a "remote code execution" vulnerability. The move follows Microsoft's security advisory posted last Wednesday and updated Monday explaining the vulnerability and suggesting temporary "workarounds" for protection.

The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information.

Some security analysts had gone as far as to suggest all IE users switch to a competing browser until Microsoft found a suitable fix.

Microsoft's emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. Expect to see far more detail by midday Wednesday when Microsoft officially issues its security bulletin.

and more info here:


Microsoft Internet Explorer users told to switch browsers over flawRichard Wray guardian.co.uk, Tuesday 16 December 2008 14.33 GMT Article historyUsers of Microsoft's Internet Explorer have been warned of a flaw that could let hackers gain access to their computers and steal personal data, and told them to swap to a rival browser.

The flaw was spotted last week when hackers started attacking users of IE 7. The flaw, however, has also been found in earlier versions of Microsoft's browser, IE 5 and IE 6.

Because IE is used by seven out of every ten computers in the world, the flaw is potentially very serious. So far, however, it only seems to have been used to steal computer game code from rival gamers.

Microsoft is trying to put together a patch, but in the meantime computer users have been advised to update their security settings or switch to unaffected browsers such as Firefox or Opera.

The latter scored highest in a recent set of tests of how browsers deal with password security, by security consultants Chapin Information Services. Firefox came second with IE mid-table. Google's new browser, Chrome, and Safari 3.2 for Windows tied in last place.

The flaw in IE allows criminals to gain control of computers that have visited a website infected with malicious code designed to exploit it. While restricting web surfing to trusted sites should reduce the risk of infection, the malicious code can be injected into any website. Users do not have to click or download anything to become infected, merely visiting an infected website is sufficient.

Antivirus software specialists Trend Micro believe as many as 10,000 sites have been hacked to exploit the flaw. Sites that have been compromised so far, however, are mostly Chinese and the attackers seem intent on stealing people's computer game passwords in order to sell them on the black market rather than looking for personal details such as bank accounts.

It is known as a "zero-day" attack because it exploits a security vulnerability on the same day that the vulnerability became generally known. Usually there is a "window of vulnerability" between when the flaw is discovered and when the vendor issues a patch. The hope is that the vendor issues the patch before writers of so-called "malware" can exploit the flaw. If the malware writers have the flaw first, then the vendor has "zero days" to create a patch.

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in IE," the company said in a security alert updated yesterday. "We are actively investigating the vulnerability that these attacks attempt to exploit. We will continue to monitor the threat environment and update this advisory if this situation changes."

"On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

What should Internet Explorer users do?

• Change the program's internet zone security setting to "high". This should protect against all known exploits of this vulnerability by disabling scripting and disabling less secure features in IE. It is, however, likely to slow down a user's web experience.

• Log out of your computer and create a new user account which has limited rights to change the PC's settings. Log in as that user. This should reduce the chances of anyone being able to exploit the flaw should your computer become infected.

• Keep antivirus software up to date. This is likely to have only limited effect as most antivirus software packages only investigate files that are downloaded from the internet, rather than looking at every page visited.

• Switch to another browser, preferably Firefox. This is by far the best option.

***scary stuff folks :(

Link to comment
Share on other sites

the stats on the one page suggested 6 out of 10 'puters in the world is running IE? i think? i'll admit it i was one of those 6... switched at about 5:20 am right AFTER the initial post. still working out the newness with Firefox but liking all the options and the better (maybe false) sense of security.

edit to add:


Microsoft issues patch to fix IE

Microsoft has issued a security patch to fix a critical vulnerability in its Internet Explorer browser it said has attacked over 2m Windows users.The flaw is believed to have already infected as many as 10,000 websites.

The "zero day" exploit let criminals take over victims' computers by steering them to infected websites.

Microsoft's Christopher Budd said the software giant "encourages all IE customers to test and deploy this update as soon as possible".

He also said the threat lead Microsoft to mobilize security engineering teams worldwide to deliver a software cure "in the unprecedented time of eight days".


Change IE security settings to high (Look under Tools/Internet Options)

Switch to a Windows user account with limited rights to change a PC's settings

With IE7 or 8 on Vista turn on Protected Mode

Ensure your PC is updated

Keep anti-virus and anti-spyware software up to date

The company's security response team said the patch consists of more than 300 distinct updates for more than half-a-dozen versions of IE in around 50 languages.

"Even with that, the release Emergency Response process isn't over," said Security Response Alliance director Mike Reavey.

"There is additional support to customers and additional refinement of our product development efforts."

Microsoft stressed that the flaw was proven to exist only in IE 7 on all applicable versions of Windows, but that IE 6 and the "beta" release of IE 8 were "potentially vulnerable".

Users who have automatic updates turned on will receive the patch over the next 24 hours while others can access it via a download.


The AZN Trojan has been making the rounds since the beginning of December but became public knowledge in the last week . Unlike other exploits, users only have to visit a malicious site with Trojans or other malware in order to become contaminated.

Once an infected web page is opened, malicious downloaders are installed on the computer designed to record keystrokes and steal passwords, credit card details and other financial information.

The sites affected are mostly Chinese and have been serving up programmes to steal passwords for computer games which can then be sold for cash on the black market.

Microsoft estimated that one in every 500 Windows users had been exposed to sites that try to exploit the flaw and the number of victims was increasing at a rate of 50% daily.

Researchers at the software security firm Trend Micro said attacks were spreading "like wildfire".

"This vulnerability is being actively exploited by cyber-criminals and getting worse every day," said the company's advanced threat researcher Paul Ferguson.

Microsoft labelled the bug as "critical," the most serious threat ranking in its four-step scouring programme.

Firefox update

The update is something of an unusual move for Microsoft and underscores the seriousness of the zero day flaw.

The company rarely issues security fixes for its software outside of its regular monthly patch updates.

Meanwhile Mozilla has released a scheduled update for its open source Firefox web browsers for at least 10 different vulnerabilities.

The bugs in the browser could have been "used to run attacker code and install software, requiring no user interaction beyond normal browsing," said Mozilla.

It is also reissuing calls for users to upgrade from Firefox 2.0 to Firefox 3.0 as soon as possible and said it is "not planning any further security and stability updates for Firefox 2".

This means Mozilla will no longer support the Firefox 2 browser against future online scams and attacks.

holy smokes!!!!:

"Microsoft estimated that one in every 500 Windows users had been exposed to sites that try to exploit the flaw and the number of victims was increasing at a rate of 50% daily."

you would think something so seemingly widespread would be better publicized in the sense of alerts and such.

Edited by Guest
Link to comment
Share on other sites


[color:red][edit to add]

Its sorta funny to see all the hoopla about this and folks scrambling to use firefox. Makes ya wonder why folks didnt switch when it happened in 2006 (M$ excel "zero-day" flaw) or even when it happened back in january of this year? (also an excel "zero-day" flaw). It's not like it was kept under wraps until now. 028ws9.gif

Edited by Guest
Link to comment
Share on other sites

I don't use IE unless I have to. Firefox is great and I think it's much better. Once you start playing around with it and customizing things a little it's almost impossible to go back.

For example, say you have some sites you go to all the time but have a long address, something on the lines of:


Well, you can go to the page, bookmark and you're golden. Now, add firefox and you can be even better off. Head into your bookmarks, right click on the one you just made and give it a keyword (lets say jambands). Now go to your address bar and type the keyword (jambands in this case) and there's your page...

Rogers Users: Firefox used to be pretty good at figuring out what site you were looking for. If you typed jambands in the address bar (and didn't have it set as a keyword to a bookmark), it would search google using I'm feeling luck (usually the top search result but I'm feeling lucky brings you straight to the page instead of a search results page). Well, rogers has recently decided to change that. Now, if rogers sees that the page you asked for doesn't exist, it will spit back it's own search page (of course filled with ads) instead of the error (it's the error that firefox waits for before searching google for you). Search google for a way to fix this :)

Link to comment
Share on other sites

Also to add:

IE has always been full of holes, I like to think of it like a spaghetti strainer, always have. Firefox has also had some security problems but not near as many and for the most part they can be prevented (as in the statement by the mozilla people that it might have been in firefox but it could never install the stuff automatically without your approval).

I'm not sure why a lot of people don't know about IE but I think it's mostly due to lack of caring much about learning security related computer stuff. If you don't have an IT background, it's much easier to just use IE and you are also much less likely to read IT papers. For that main reason it's also attacked much harder (same with windows) than it's competitors because it has a much higher percentage of oblivious folks using it.

If you find it offensive when I say oblivious folks then don't as the oblivious folks are by far in the majority and there's nothing wrong with it (you should be able to be oblivious about these things if software is built correctly and works properly, especially if the software is geared to general use and the general public).

Link to comment
Share on other sites

I guess it was kept under wraps enough for me not hear about it before.

I wasn't actually refering to anyone in this thread, just in general from reading the news articles posted & numerous other mentions in media (TV, radio microsofts website etc)and some tech sites, there is a lot more people then the few in this thread out there jumping to firefox. But now that you bring it up... 028ws9.gif

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...