Facing a firestorm of controversy, Microsoft on Tuesday said it would patch its Internet Explorer (IE) web browser before next month's regularly scheduled security patch release to address the so-called "Aurora" vulnerability. This vulnerability was targeted in the recent China-based electronic attacks on Google and other high tech companies.
Microsoft claims that the vulnerability threat is "limited" but is responding to the intense scrutiny caused by the high-profile Google attacks. Furthermore, the issue doesn't appear to be problematic on the most recent versions of the browser.
"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves, and the escalating threat environment, Microsoft will release a security update out-of-band for this vulnerability," wrote George Stathakopoulos, a Microsoft security general manager, in a blog post on Tuesday.
Stathakopoulos said that the only successful attacks utilizing the IE vulnerability have been against IE 6, a dated version of the browser that first shipped in 2001 and that only slow-moving and security-unaware corporations use. He recommends that all Microsoft customers upgrade to IE 8, the latest version of the browser.
Note that IE 8 (like IE 6 and IE 7) is affected by the Aurora vulnerability as well. However, IE 8 is configured—by default—in a manner that mitigates its effects and can be hardened further, unlike IE 6. Microsoft has published guidelines about protecting PCs from this vulnerability in a security advisory.
"IE 7 and 8 seem to be holding," Stathakopoulos said. "None of the attacks we know of will be effective against IE 8. That could change, but that is what we know."
Microsoft's decision to patch IE "out of band"—that is, between its regularly scheduled monthly security patch releases—is unusual but not unprecedented. It comes in the wake of widespread condemnation of the browser from security experts and governments: Both France and Germany have had similar knee-jerk reactions to the incident and have actually warned their citizens to use alternative browsers instead of IE.
Security experts are preaching calm, however: Attacks against the Aurora vulnerability are extremely limited and target very specific companies. "For the mass majority of users, careful browsing practices coupled with up-to-date antivirus will provide significant risk mitigation," says Andrew Storms, the director of security operations at nCircle. In other words, nothing has changed, and as is so often the case with the Internet, common sense is your best defense.