Microsoft Kept Busy Solving Existing IE Bugs
The security vulnerabilities of Microsoft’s web browser, Internet Explorer, are well known. Much of the viruses and other malware in the internet exist because hackers already know too well how to exploit Internet Explorer’s weaknesses.
Microsoft has not been sitting idly by however, and with the release of the latest version of its web browser, Internet Explorer 8, a lot of vulnerability issues have been resolved. Together with the latest version of IE, Microsoft maintains a schedule of releasing updates or patches to software. Patch Tuesday, as how the internet press calls it, occurs every second Tuesday of the month, and has been Microsoft’s way of pro-actively making users involved in maintaining the software in their computers
But there are rare events when fixes are released outside the schedule. Recently, Microsoft was forced to issue emergency patches after 2 IBM researchers found a way to exploit a vulnerability problem the software company thought they had already solved.
Internet Explorer utilizes software called ActiveX controls in order to provide added functionality like displaying videos or playing music inside the browser window. However, it has been found that some of these ActiveX controls are vulnerable to a type of attack called drive-by downloads. Some of the ActiveX controls found to contain this type of vulnerability include the popular Adobe Flash and Shockwave Player and even Microsoft Office components.
Microsoft’s quick response to such vulnerabilities is to issue “kill-bits” which is essentially one way of disabling a vulnerable ActiveX control. A “kill-bit” works by erasing the ActiveX control from a long list of software that is allowed to run in the computer.
What the two researchers found was a way of circumventing the list and allowing the vulnerable ActiveX control to once again run inside Internet Explorer. This is a serious flaw because the buggy ActiveX control, once hacked, allow intruders unlimited access to the computer. The seriousness of the bug becomes apparent considering that hundreds of vulnerabilities have been patched using “kill-bits”. Once hackers figure out a way to go around the “kill-bits” fix, hundreds of thousands of computers once thought to be already secured are once again open to malicious attacks.
The out of schedule emergency patch release has been said to be a highly unusual move for Microsoft. It is only when malicious attacks happen in the real world that such emergency releases take place. Although attacks employing the vulnerabilities did not happen, Microsoft must have felt really threatened, which was why the out-of –schedule fix took place.
By now, Patch Tuesday, or August 11 has already passed. Your computers may have been updated if automatic updates to software have been set. Adobe has also issued fixes to its Flash and Shockwave plugins.
A simple way to be on the safe side is to let the computer update itself by turning on automatic updates.