Microsoft patches hole in Internet Explorer

Microsoft has patched a hole in its Internet Explorer browser that may have allowed Chinese hackers access to human rights activists' e-mail accounts. It usually issues patches every month but said the attention the problem had received made it move more quickly.

It follows advice from the French and German governments telling people to use other browsers until the hole had been closed.

Microsoft said users can download and apply the patch immediately.

Trojan Horse

The MS08-078 patch, for all current versions of Windows is available via the Microsoft Update site and will be fed out to those that have their machines set to update automatically.

Malicious code exploiting the weakness is known to be circulating on the web, said security experts.

If a web user were to visit a compromised site using a vulnerable browser, they could become infected with a "trojan horse", allowing a hacker to take control of the computer and potentially steal sensitive information.

Microsoft said on 18 January that there were "very few" infected sites on the web.

But Security firm Sophos said now it had seen "copycat" sites trying to exploit the vulnerability.

"Though numbers are still very low, over the past 24 hours or so we have seen a few sites serving up malicious code attempting exploit the vulnerability," it said in a blog post.

'Weak link'

The bad publicity has allowed rivals such as Firefox to gain market share.

According to web analytics company StatCounter Firefox is now a close second to Internet Explorer (IE) in Europe, with 40% of the market compared to Microsoft's 45% share.

In some markets, including Germany and Austria, Firefox has overtaken IE, the firm said.

Microsoft said it had now decided to act on the security hole.

"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability," said Microsoft's general manager of Microsoft's trustworthy computing security group George Stathakopoulos.

"We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update is the right decision at this time," he said.

He said that the only successful attacks "to date" were against IE 6.

"We continue to recommend customers update to Internet Explorer 8 to benefit from the improved security protection it offers," he said in a security advisory.

Following the high profile attacks on Google, Microsoft admitted that IE was a "weak link".

The recent spate of attacks were alleged to have hit more than 30 companies including Google and Adobe.

Google threatened to withdraw from the Chinese market following the attacks.

Source: BBC