has issued an emergency patch to fix a critical Internet Explorer vulnerability that puts users at risk. At least two million computers have been infected in the past week, most of them in Asia.
The out-of-cycle patch is available through Microsoft's normal update options, including Windows Server Update Services, Microsoft Update, and Windows Update.
The fact that Microsoft broke its normal patch cycle is an indication of the importance of this patch, according to Wolfgang Kandek, CTO of Qualys.
"This is a critical flaw in the most widely used browser on the planet. Internet Explorer users have been exposed for at least a week to high risk while browsing the Internet," Kandek said. "This risk includes having their computer falling under the control of outside attackers, which can then search the computer for personal information such as SSN, install key loggers that record log-in passwords to banking sites, and also use the computer for their own money-making activities."
A Lightning-Fast Fix
The browser flaw was disclosed about a week ago, as a zero-day vulnerability and active exploits have been around the Internet for about that long. The exploit doesn't require users to click on links or download from the Internet. Rather, it infects users when they open a Web page. Microsoft offered several workarounds while it was working on a fix.
"The workarounds provided by Microsoft were very technical and quite cumbersome to implement, making it imperative for Microsoft to release a fix as quickly as possible," Kandek said. One of the workarounds, however, wasn't cumbersome -- but it was a competitive downside. Microsoft, as well as many security analysts, recommended browsers stop using Internet Explorer until a fix was available.
"Given the typical requirements for developing, testing and packaging the changes to a program as widely deployed as Internet Explorer, we have seen one of the fastest turnarounds possible," Kandek said. "Moving faster would require having specific mechanisms in the base code of the , allowing to push out changes in a less disruptive way and would require an extensive rewrite of Internet Explorer. Other browser providers have an edge here as they already have update mechanisms included in their products."
Beware of .Doc Files
A fix was indeed critical, given McAfee's discovery of a spike in the number of active Web sites hosting this exploit. McAfee reports customized versions of the IE 7 exploit with varying degrees of obfuscation.
"Malware authors have been coming up with innovative mechanisms to leverage this exploit to social engineer the not-so-tech-savvy Internet users," McAfee's Rahul Monahdas wrote on the McAfee Avert Labs blog. "One of the most prominent and unique techniques adopted by the malware authors involves a Microsoft Word document being sent out to an unsuspecting user."
According to Monahdas, the charm with this approach is that the exploit is downloaded and run without the knowledge or permission of the user. To the unsuspecting user it will just appear as yet another normal .doc file.
"We want to reiterate to all our readers to be vigilant and cautious while opening unknown .doc files or visiting dubious Web sites, while we continue to monitor the threat and protect our customers against the menace," Monahdas said.