Microsoft has released a fix for an Internet Explorer vulnerability that had been exploited by cyber attackers and that had led the U.S. government to recommend that people use alternate browsers until Microsoft patches the problem.
People running Windows with “Automatic Updates” enabled will not need to take any action since the update will be downloaded and installed automatically, Microsoft said in a security advisory issued today.
Individuals who don’t have automatic updates enabled on their PCs can install them manually by clicking the “Check for Updates” button on the Windows Update bar in the Control Panel.
Corporations’ IT departments can find more details on how to install the update for their organizations in the security bulletin issued today. Microsoft is hosting a webcast at 11 a.m. tomorrow geared toward answering questions from IT people about the fix. Registration for the webcast is here.
And good news for Windows XP users: Although Microsoft had said earlier that any security update would not apply to the nearly 13-year-old Windows XP, which Microsoft had stopped supporting last month, the company said today it made the decision to issue the security update to Windows XP customers.
“Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today,” Adrienne Hall, general manager of Microsoft Trustworthy Computing, said in a blog post today. “We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.”
“The security of our products is something we take incredibly seriously,” Hall said. “This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers.”
The vulnerability, which affects IE 6 to 11, is a remote code execution vulnerability, meaning cyber attackers could create a web page and convince users to view that web page or attachment, which then allows the attackers to execute code on a machine without the victim knowing about it.
The problem was first discovered by cybersecurity firm FireEye Friday evening, which found that active attacks exploiting the vulnerability on IE 9 to 11. Microsoft posted an advisory with tips on workarounds on Saturday. On Monday, the U.S. and U.K. governments issued recommendations for people to either implement the workarounds or use alternative browsers.