Microsoft Corp. yesterday released a new bundle of software patches for its widely used Internet Explorer Web browser, including a fix for a flaw that was exploited in June to steal passwords and other personal information.
All three of the Internet Explorer flaws addressed in the bundle were labeled "critical," meaning Microsoft believes they could be easily exploited by an Internet worm to infect computers running various versions of the company's Windows operating system.
One of the patches fixes a flaw that was used last month to target unsuspecting computer users. In that attack, attackers apparently found a way to hijack numerous Web sites powered by Microsoft's server software and use them as platforms to infect computers relying on Internet Explorer with software capable of capturing people's keystrokes and sending the information back to the hackers.
Microsoft did not produce a final fix for the Internet Explorer vulnerability involved in the scam until yesterday. While the company issued an interim fix on July 13, the delay in producing a comprehensive patch gave attackers weeks to create mischief, said Alfred Huger, a senior official at Symantec Corp., an Internet security firm based in Cupertino, Calif.
Huger said attackers have tried to use the Internet Explorer vulnerability at least 424 times over the past six weeks against Symantec customers alone. He said the actual number is probably far higher, as many of the companies that feed data to Symantec do not have the technology in place to distinguish between attacks using this vulnerability and others.
Stephen Toulouse, program manager for Microsoft's security response center, said the company did not want to rush out an untested patch. "We had to take it in steps because we wanted to make sure we did the maximum amount we could to protect people, while at the same time ensuring that the fix is of high enough quality that people feel comfortable installing it," he said.
Even when Microsoft delivers patches quickly, the company still relies on its customers to take the necessary steps to install them. A patch for the server software flaw targeted in the June attack was first released in April, but attackers were still able to exploit unpatched servers two months later.
Microsoft also released several software tools that computer users can download to detect and remove several recent worms and viruses, including the latest variant of the "MyDoom" e-mail worm that emerged this week and caused temporary disruptions in several of the most popular Internet search engines. Another tool removes the "Zindos" Trojan, which allows attackers to take control over MyDoom-infected PCs. All of the patches can be downloaded at www.microsoft.com/security.
Brian Krebs is a staff writer for washingtonpost.com.