Thursday, December 18, 2008

microsoft.com ie security patch


Microsoft Corp. quickly released an emergency Microsoft patch for internet explorer Wednesday to fix a major security flaw in its Internet Explorer Web browser that has permitted hackers to infect millions of computers with viruses as well as steal personal information.

Until now, the vulnerability has not led to the widespread infections common a few years ago. But an expert from central florida said it was the most serious computer-security threat in years.

The flaw, which was first discovered in China, enables hackers to infect a Windows user's computer through certain Web sites. So far, more than 10,000 Web pages have been infected, with many of them devoted to pornography and gaming. According to news reports, about 2 million computers have been infected so far.

Unlike with past viruses, the user does not have to download or click on anything, and nothing pops on the screen to announce you've got it. But once the computer is infected, the hacker has total control and access to everything, including tax records, bank passwords and Social Security numbers.

The security flaw has been characterized by microsift.com as a "zero-day vulnerability," which means it was exploited immediately after it was discovered.

Typically, Microsoft has time to respond to security flaws and releases patches on the second Tuesday of the month. This flaw was so serious that Microsoft decided not to wait.

"A zero-day vulnerability is like finding out your house is unlocked and then on the same day thieves are ready to move in and steal your stuff," Miller said.

"In a non-zero-day situation, it's like having your doors unlocked, but nobody can get in yet because you have some things protecting the house, such as dogs, and it buys you some time."

Hackers increasingly have used Web sites to infect computers for a few years. For instance, last year, the Web sites of Dolphin Stadium and the Miami Dolphins were hacked to try to infect the computers of people who visited them.

Miller said Orange County has been tracking the flaw, and so far, none of the county's nearly 6,000 PCs has been infected. When Microsoft releases patches, the county's IT staff usually take about a day or so to test patches before deploying them. But in this case, Miller said they would deploy it after just an hour or two of testing.

Alex Veletsos, chief technology officer at Orlando Health, said he was very concerned when he first heard about the security flaw last week.

"The worst possible scenario could have been that an outsider could have gotten in our network," Veletsos said. "You can cause damage to computers, bring down servers and remove key information without people knowing about it."

This is an urgent update. If you use Windows, apply this patch now.