Microsoft Squashes Internet Explorer Bug
Microsoft has issued a fix for a "zero-day" vulnerability in the Internet Explorer browser. A zero-day vulnerability is one that was previously undetected, and for which, therefore, no protective steps have yet been taken. The recently discovered vulnerability could have allowed attackers to gain access to computers running older versions of the browser, IE 8, and earlier.
For IT managers and professionals at midsize firms, the episode contains a variety of lessons. One is that the inherent complexity of software is such that potential vulnerabilities may still remain even as the software enters the twilight of its life cycle.
The other lesson is the importance of keeping software up to date. The newly found vulnerability affects only older versions of Internet Explorer. Users running the latest version were safe from worry. This consideration is of special importance for the many firms still running Microsoft Windows XP. Redmond will relatively soon end support - including security patches - for that old but still popular version of Windows.
As Steven Musil reports at CNET, Microsoft rounded out 2012 by releasing a security patch for a "zero day" vulnerability discovered in older versions (IE 6-8) of Internet Explorer.
The vulnerability would have allowed attackers to hijack a target computer. The computer could then be remotely used to host a website for further propagation of the exploit. The vulnerability was discovered in late December. An exploit utilizing it was found on the website of the Council on Foreign Relations, a nonprofit organization dealing with US foreign policy. This circumstance might point to international political motivations on the part of the unknown hackers.
Users of more recent versions of Microsoft's browser were immune to this vulnerability. An unknown - but probably substantial - number of Internet Explorer users, however, have not updated to more recent and robust versions of the browser.
Keeping up to Date
For the IT community at midsize firms, the good news is that Microsoft moved swiftly to patch the vulnerability. The bad news is that the inherent complexity of browsers and other standard software means that potential vulnerabilities can remain undiscovered and unpatched even late in the software's life cycle.
The worst news is that older versions of software remain in wide use long after updated versions - including free updates - are available. Likewise, available patches, or protective workarounds (which Microsoft also provided,) may remain unapplied by users.
All of this news about zero-day vulnerability points up the risk that may accompany Microsoft's planned cessation of support for Windows XP in the spring of 2014. All too many users, including midsize firms, may still be using it beyond that time, and they will need to remain vigilant about security.
For IT managers the message is that updating, upgrading, and application of security patches all need to be matters of policy.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.