Microsoft Corp. today released a new bundle of software patches for its widely used Internet Explorer Web browser, including a fix for a flaw that hackers have been using to target computer users since early June.
All three of the Internet Explorer flaws addressed in the bundle were labeled "critical," meaning Microsoft believes they can be easily exploited by an Internet worm to infect personal computers running various versions of the company's Windows operating system.
The company issued the patches outside of its regular monthly release schedule because of the severity of the threat, said Stephen Toulouse, program manager for Microsoft's security response center.
One of the patches fixes a flaw that attackers seized on last month in a complex online scam involving three separate flaws in Microsoft software. In that attack, hackers were able to hijack numerous Web sites powered by the company's server software and transform them into platforms for infecting visiting computers with "spyware" -- software that records personal data on a computer and quietly transmits the information back to its authors.
Microsoft did not produce a final fix for the Internet Explorer vulnerability involved in the scam until today. While the company issued an interim fix on July 13, the delay in producing a comprehensive patch gave hackers weeks to deliver spyware and other malicious programs to computers navigating the Web with Internet Explorer, said Alfred Huger, a senior official at Symantec Corp., an Internet security firm based in Cupertino, Calif.
Huger said attackers have tried to use the Internet Explorer vulnerability at least 424 times over the past six weeks against Symantec customers. He said the actual number of such attacks against the systems it monitors is probably far higher, as many of the companies that feed data to Symantec do not have the technology in place to distinguish between attacks using this vulnerability and others.
Toulouse said Microsoft needed time to test its comprehensive fix for the Internet Explorer problem. "We had to take it in steps because we wanted to make sure we did the maximum amount we could to protect people, while at the same time ensuring that the fix is of high enough quality that people feel comfortable installing it," he said.
Even when Microsoft delivers patches quickly, the company still relies on its customers to take the necessary steps to install them. A patch for the server software flaw targeted in the June attack was first released by the company in April, but hackers were still able to find and exploit unpatched servers two months later.
Flaws in the Internet Explorer browser are particularly dangerous because more than 95 percent of the world's Web surfers use it when they go online, according to WebSideStory, a Web site analytics company based in San Diego.
Microsoft also released several software tools today that computer users can download to detect and remove several recent worms and viruses, including the latest variant of the "MyDoom" e-mail worm that emerged this week and caused temporary disruptions in several of the most popular Internet search engines. Another tool removes the "Zindos" Trojan, which allows hackers to take complete control over MyDoom-infected PCs. All of the patches can be downloaded at www.microsoft.com/security.
Microsoft has issued more than a dozen "critical" software patches so far in 2004. In early 2002 company co-founder Bill Gates launched the "Trustworthy Computing" initiative dedicated to securing the company's many software products. In addition to regularly releasing software patches on its Web site, the company retooled its Windows XP software to heighten certain security features and provides an online service that scans Windows computers for any needed software updates.