The BBC and others are reporting today on a security vulnerability in Internet Explorer 7 — though earlier versions of the Microsoft Web browser also have the same flaw — that has yet to be patched. Microsoft has been working on it since at least Wednesday, when it published a security bulletin explaining the flaw.
Update, 12:40 p.m.: Microsoft says it has a security update for this vulnerability. It will be released Wednesday morning at 10 a.m. via Automatic Updates and Microsoft Update. More after the jump.
The BBC cites security experts who are advising users of IE to switch to another browser, such as Firefox or Safari, until the flaw is corrected.
“If users can find an alternative browser, then that’s good mitigation against the threat,” Rick Ferguson, senior security advisor at Trend Micro, told the BBC.
If people follow this advice, it could be an additional blow to Microsoft, which has watched its once dominant share of the browser market erode in recent years. As recently as 2004, Internet Explorer had more than 90 percent of the browser market. In summer, IE’s market share was 73 percent, Firefox had 19 percent and Apple’s Safari had 6 percent, according to Net Applications.
According to a Microsoft blog post last week, there were still “limited attacks seeking to load malicious software on vulnerable systems.”
Microsoft is “actively investigating the vulnerability that these attacks attempt to exploit” and suggests a number of workarounds and suggestions for minimizing the vulnerability at its security Web page.
Update, 12:40 p.m.: Microsoft is calling its response to the threat “unprecedented.” “Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight day,” the company said in a statement.
Click here for more details on the fix and two Web casts the company has planned for Wednesday and Thursday to answer questions on the topic.