Microsoft Internet Explorer security patches released

Microsoft on Thursday issued a cumulative critical patch for Internet Explorer that fixes eight vulnerabilities, including a hole targeted in the China-based attacks on Google and other U.S. companies.

The security update is rated critical for all supported releases of IE 5, 6, 7, and 8, according to the advisory. The more severe vulnerabilities could allow remote code execution if a user views a malicious Web page using IE, it said.

What’s more interesting though is that Microsoft has known about the issue relating specifically to the Google attacks a week ago, since September last year – so that is 4 months with no action on an issue which has been a factor in attacks on 30+ large corporates. This from a company that touts it’s security awareness – I’m glad I don’t have to deal with any of this crap every day.

IE6 ( the only version supposedly targeted with exploit code at the moment ) still has the highest market sure of all IE versions – this is obviously a big security issue and perhaps Microsoft is a victim of its own success here as it deviated away from internet standards with early IE versions leading web developers to select a single platform to code for; in this case IE was easier seeing as it held greater market share due to being bundled with the OS.

Websense reported on its blog that targeted attacks like those that hit Google and using the IE hole appear to have started during the week of December 20 and are ongoing to government, defence, energy and sectors, and other organizations in the U.S. and the United Kingdom. Victims are receiving targeted e-mails with malware that appears to be a data-stealing Trojan, according to Websense.

Moral of the story? Use an alternate browser, a complete platform or at least make sure you are patched to the hilt. You’ve got no excuse seeing as Firefox 3.6 has just been released and there are other good browsers out there.