'Browse And Get Owned' Patch Coming Tuesday

Microsoft has revealed it will indeed have a fix for a critical Internet Explorer bug in next week's monthly update. The security loophole means XP users who don't have the latest edition of the browser could be infected even by visiting a theoretically safe website.

The bug, which Microsoft describes as "browse and get owned," involves the Active X (Direct Show) system used for displaying online videos. The specific function it affects is no longer used, which may be how the hackers found the loophole.

The bug affects users of Windows XP, as well as anyone running Windows Server 2003 that has changed the settings from the default Enhanced Security mode. Vista and Windows 7 are unaffected.

The bug is triggered through an infected web page being displayed in Internet Explorer 6 or 7, but the latest edition 8 blocks the attack. Both Outlook Express and Outlook automatically block links to infected pages, but links sent in emails may still lead people to the problem.

Zero Day Issue

Microsoft had to respond quickly to the problem as it was a zero day issue: that means that hackers knew about, and were actively exploiting the bug before a fix had been issued. It's reported that some legitimate websites have been attacked and infected with a bug which exploits the problem, with Chinese sites badly affected. The problem was originally discovered by Chinese security experts. (Source: informationweek.com)

When the news first broke, Microsoft said it was not ready to issue a fix as it was still working to produce one that was reliable enough for public release. It now says it believes a fix will be ready for inclusion in next week's scheduled 'Patch Tuesday' update. (Source: technet.com)

Anyone who runs XP along with Internet Explorer 6 or 7 that hasn't yet done so should seriously consider running Microsoft's temporary solution rather than waiting until the fix. The stopgap solution involves killbits, instructions added to the Windows Registry which block the relevant parts of Active X from working. As it's generally best to avoid editing the registry unless you are extremely confident about doing so, Microsoft has issued an automated tool which can be downloaded at http://support.microsoft.com/kb/972890#FixItForMe.