Microsoft releases fix for browser flaw

SEP. 26 6:23 P.M. ET Microsoft Corp. rushed out a fix Tuesday for a security flaw in its Internet Explorer Web browser after attackers had begun exploiting the vulnerability to take control of computers.

The Redmond-based software maker said it was putting out the fix ahead of the next scheduled security fix release date on Oct. 10 because of the severity of the problem. The flaw carries Microsoft's highest "critical" rating.

The vulnerability in Microsoft's browser is particularly worrisome to security experts because computer users could come under attack just by visiting a Web site that had been manipulated to take advantage of the flaw. That, in turn, would give an attacker complete control of a user's computer, including access to e-mails, personal information and other data.


Johannes Ullrich, chief technology officer with the security research organization SANS Institute, said it appears that a couple of thousand Web sites have already been manipulated to launch such attacks. The attack also seems to be spreading via e-mail, he said.

Stephen Toulouse, senior product manager in Microsoft's security technology unit, said Microsoft had only seen very limited attacks since the flaw became public a little over a week ago. But he said the activity was enough to prompt the company to release the update ahead of schedule.

"What we're seeing from our end are very specific, limited attacks," he said.

This is the latest in a series of flaws that have been publicly disclosed before Microsoft was able to offer users a patch. More typically, security researchers at outside organizations, or within Microsoft itself, discover the flaws and work in secret to come up with a patch before attackers have a chance to take advantage of them.

Ullrich faulted Microsoft for not getting a fix out sooner, noting that attacks are already under way, and urged users to get the fix immediately.

"Installing the patch is definitely the way to go," he said.

Source:- Business Week Online