Security researchers, companies, technology journalists, Mac fans and Linux zealots have all been as one in urging (or lambasting) Microsoft into fixing the problem quickly, shutting down an attack vector in place on thousands of websites that could allow “remote code execution” to take place on any computer running any recent version of Internet Explorer.
Although the attack is most likely to occur on sites offering pornography or pirate software, or other rogue sites (particularly in China), legitimate web sites have also reportedly been attacked by hackers to trap users who either wouldn’t normally go to unsavoury sites or who are avoiding them while the bug remains unpatched.
Microsoft had initially issued instructions on its “security page” to set Internet Explorer security settings to a higher level, while another common piece of advice on the Internet simply revolved around using Firefox or some other browser, either in perpetuity or at least until an official patch was issued.
Microsoft Australia has issued the following statement which closely mirrors statements issued by other Microsoft offices around the world, in response to the threat:
“In light of a recently discovered vulnerability in Internet Explorer that affects all versions and allows for remote code execution, Microsoft teams world wide have been working around the clock to develop a security update to help protect our customers and has just released the Advanced Notification Service advising customers that Microsoft will be providing a Security Update at roughly 5am, December 18th, to protect them from the vulnerability discussed in Microsoft Security Advisory 961501.
“To date, the impact on Microsoft’s Australian customers has been minimal and Microsoft is not advising Internet Explorer users to switch browsers.
“The Microsoft Security Response Center continues to monitor the threat landscape while working, and sharing information with, partners around the globe through the Microsoft Active Protections Program to help protect our mutual customers.”
Microsoft’s advisory and notification on how to protect your computer both now and importantly from tomorrow onwards when the patch is launched continues on page 2, as does information on software that would protect your banking transactions whether you are affected by the vulnerability or not... please read on.
Microsoft Australia’s statement continues: “Until the update is available, Microsoft strongly encourages customers to follow the Protect Your Computer Guidance at www.microsoft.com.au/security, which includes activating the Automatic Update setting in Windows to ensure that they receive the update as soon as it is available, enabling your firewall, ensuring your antivirus and antispyware is up to date.
“They can also take additional precautions by setting their Internet Explorer security settings to “High” and using Internet Explorer 7 in “Protected Mode.
“Microsoft is hosting a webcast to address customer questions on this bulletin on 17 December, 2008 at 1:00PM Pacific Time (US & Canada)/ 18 December, at 8:00AM AEDT (NSW, VIC, ACT). (Tuesday in the US, Wednesday in Australia).
“Register now for the Out-of-band December Security Bulletin Webcast.
“After this date, this webcast is available on-demand.”
So, although it would have been a lot better had a patch been made earlier, a patch is finally on the way, well outside of Microsoft’s normal monthly “Patch Tuesday” schedule, to respond to the threat.
It’s also important for Mac and Linux users, and users of other browsers feeling smug about the issue that security vulnerabilities are regularly found and patched – even on Linux – and regularly updating your operating system/browser/software is vital, no matter what OS you use.
It’s also important to ensure your Internet security software is the latest version and is always set to update automatically.
It’s also worth buying and installing browser independent security software such as TrustDefender. This would shut down any banking Trojans that may have been loaded after unpatched exposure to an infected site, thus protecting your banking transactions even if your computer is otherwise infected to the gills with known or unknown malware – see details at TrustDefender’s site for more information.