Earlier this week we reported on a new zero-day (not fixed) vulnerability in Internet Explorer that is already being exploited in targeted attacks by compromised websites – infection can occur simply by visiting the malicious website and could result in an attacker stealing data or taking remote control of a PC.
The vulnerability affects users of XP, Vista or Windows 7 – running any version of Internet Explorer from IE6 to IE9. Microsoft have since released a manual Fix It to resolve the problem – it is available here and IE users are advised to install it to protect against this vulnerability.
The Fix It is “an easy, one-click solution that will help protect your computer right away. It will not affect your ability to browse the web, and it does not require a reboot of your computer“. This is a temporary workaround until the following proper update is released:
Emergency Windows Update – Microsoft have also issued a new security bulletin which details their plans for an automated solution. An emergency (out-of-bounds) Windows update to address these security vulnerabilities will be released to all users (who have Windows updates set to automatic) tomorrow – Friday 21st September.
Conclusion
A manual Fix It may be appropriate for businesses and tech addicts (who read updates like this) but the majority of IE users are unlikely to ever become aware of the fix (or even the security issue that requires it…) and therefore remain unprotected for longer than necessary – until an automatic Windows update is released later.
I have noted before that this ‘two stage’ approach to securing IE is a major weakness compared to rivals such as Chrome and Firefox. When faced by such a vulnerability, Chrome and Firefox could just release an emergency update of the browser – a new version rolled out automatically to all users to protect them, even if they weren’t aware of the problem…
This delay in patching IE is the inevitable consequence of it being so tightly integrated into Windows, rather than created as a standalone browser – it takes longer to test IE changes and roll out an automatic Windows update than it takes for rivals to update a single program.