Microsoft rushes out software fix to prevent browser attacks

Wed Sep 18, 2013 5:02am IST

The Microsoft logo is seen at their offices in Bucharest March 20, 2013. REUTERS/Bogdan Cristel

The Microsoft logo is seen at their offices in Bucharest March 20, 2013.

Credit: Reuters/Bogdan Cristel



(Reuters) - Microsoft Corp released an emergency software fix for Internet Explorer on Tuesday after hackers exploited a security flaw in the popular Web browser to attack an unknown number of users.

The software maker said on its website it released the software, known as a "Fix It," as an emergency measure to protect customers after learning about "extremely limited, targeted attacks" that made use of the newly discovered bug.

Microsoft said the attacks took advantage of an undiscovered flaw, or "zero day" vulnerability in industry parlance.

State-sponsored hacking groups are often willing to pay hundreds of thousands of dollars for zero-day vulnerabilities in widely used software such as Internet Explorer, according to security experts who track that market.

They typically use them on small numbers of carefully selected, high-value targets, to keep such flaws secret.

Once Microsoft issues a warning about a zero-day bug, other groups of hackers involved in massive cyber-crime operations, such as identity theft, rush to reverse-engineer the Fix Its so they can build computer viruses that also exploit the same vulnerabilities.

Security experts said Internet Explorer users should either immediately install the Fix It or stop using the browser until Microsoft can put out an update, which will be automatically installed through its Windows Update program.

"With the Fix It out, I'm sure any attacker who is a bit sophisticated can figure out what the flaw is and implement a similar exploit in their own attack toolkit," said Wolfgang Kandek, chief technology officer with the cybersecurity firm Qualys Inc.

"Fix Its" are pieces of software for remediating security flaws that must be downloaded and installed on PCs. They are designed to protect customers while Microsoft prepares official updates, automatically delivered via the Internet to be installed on computers.

Kandek said he expects Microsoft to push out an update to address the issue within two to three weeks.

The Fix It can be installed by clicking on a link this page on Microsoft's support site:

(Reporting by Jim Finkle; editing by Jackie Frank)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see
Comments (1)
scott.ferrell wrote:
would you care to mention which operating system? ok, i did a search and found PCWorld’s article much more informative.
1) “The bad news is that this is a very wide-reaching patch, affecting all versions of IE across all operating systems, from XP to RT,” he says. “And more bad news: the average user is very susceptible to being hit with this.”
2) Microsoft claims that running Internet Explorer in Enhanced Security Configuration mode prevents this attack. Internet Explorer runs in this restricted mode by default on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.
3) “For less technical users that aren’t comfortable with Microsoft Fix it solutions, using another browser until a patch is available is the best option.”
4) A couple additional notes: The Fix-It solution only works with 32-bit versions of Internet Explorer, and you must first apply the cumulative update for Internet Explorer from last week’s Patch Tuesday (MS13-069).
wow, you guys missed a lot…

Sep 17, 2013 9:26am IST  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared