Experts Urge: Upgrade to IE8 Now, or Face Consequences

Microsoft has officially released a patch addressing a widely-reported critical zero-day flaw in its Internet Explorer browser. The patch addresses not just one or two critical issues, but ten in total, leading security experts to emphasize the importance in having all Internet Explorer users upgrade to Internet Explorer 8.

Yesterday's emergency patch release is special for Microsoft, which typically reserves the second Tuesday of every month for its monthly updates. However, since a critical zero-day flaw in Internet Explorer versions 6 and 7 eluded the last Patch Tuesday release, Microsoft decided to released this set of critical patches now, rather than later.

The next Patch Tuesday is on schedule and slated for April 13, 2010.

10 Critical Vulnerabilities Addressed

The explanation for the ten critical issues is simple: the fix for the zero-day flaw has been issued for more than just one version of Internet Explorer. Despite earlier reports that Internet Explorer 8 was not affected by the issue, Microsoft has in fact released a fix for IE8, as well as IE 7, IE 6, IE 6 Service Pack 1, and IE 5.01.

The update has been ranked "important" for Internet Explorer 6 and "moderate" for IE 8 on Windows servers. Microsoft emphasizes that Internet Explorer 8 is not affected by the issue, so presumably the patch for IE8 is to prevent hackers from using a variation of the critical flaw to attack the newer browser.

Web Browser Attacks on the Rise

Security firm nCircle's director of security operations Andrew Storms believes Microsoft's release of the update just two weeks before the next scheduled Patch Tuesday speaks to the threat's severity. "If you consider that the normal release cycle is only a few weeks away, and they chose to release it, it's another indicator that the attacks have been on the rise," Storms said. (Source: crn.com)

The threat is related to an invalid pointer reference in Internet Explorer than can be used after an object is deleted from the system. If this is the case, there's an opportunity for a hacker to employ remote code execution. Microsoft's patch "verifies the origin of scripts and handles objects in memory, content using encoding strings and long URLs."

Security Firms Urge Users to Upgrade to IE8

According to Storms, the zero-day flaw addressed yesterday, which can also be exploited by convincing a user to click on a malicious link in a web page, is not particularly novel, even if it is serious. "It's pretty typical of browser bugs," Storms said. "You click on a link and are taken to a Web site where there's some kind of malware that does weird things in HTML or JavaScript."

Storms believes the one thing people should take away from the patch is that it's time to upgrade their web browsers. "The message today should be to get onto IE8," Storms said. (Source: computerworld.com) Other security firms concur with his advice.