Microsoft has issued a security patch to fix a critical vulnerability in its Internet Explorer browser it said has attacked over 2m Windows users.

The flaw is believed to have already infected as many as 10,000 websites.

The “zero day” exploit let criminals take over victims’ computers by steering them to infected websites.

Microsoft’s Christopher Budd said the software giant “encourages all IE customers to test and deploy this update as soon as possible”.

He also said the threat lead Microsoft to mobilize security engineering teams worldwide to deliver a software cure “in the unprecedented time of eight days”.

The company’s security response team said the patch consists of more than 300 distinct updates for more than half-a-dozen versions of IE in around 50 languages.

“Even with that, the release Emergency Response process isn’t over,” said Security Response Alliance director Mike Reavey.

“There is additional support to customers and additional refinement of our product development efforts.”

Microsoft stressed that the flaw was proven to exist only in IE 7 on all applicable versions of Windows, but that IE 6 and the “beta” release of IE 8 were “potentially vulnerable”.

Users who have automatic updates turned on will receive the patch over the next 24 hours while others can access it via a download.

‘Wildfire’

The AZN Trojan has been making the rounds since the beginning of December but became public knowledge in the last week . Unlike other exploits, users only have to visit a malicious site with Trojans or other malware in order to become contaminated.

Firefox update

The update is something of an unusual move for Microsoft and underscores the seriousness of the zero day flaw.

The company rarely issues security fixes for its software outside of its regular monthly patch updates.

Meanwhile Mozilla has released a scheduled update for its open source Firefox web browsers for at least 10 different vulnerabilities.

The bugs in the browser could have been “used to run attacker code and install software, requiring no user interaction beyond normal browsing,” said Mozilla.

It is also reissuing calls for users to upgrade from Firefox 2.0 to Firefox 3.0 as soon as possible and said it is “not planning any further security and stability updates for Firefox 2″.

This means Mozilla will no longer support the Firefox 2 browser against future online scams and attacks.

Source: BBC News – http://news.bbc.co.uk/1/hi/technology/7788687.stm

Users of the Microsoft’s Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world’s computer users.

“Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer,” said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the “underlying vulnerability” was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified.

As many as 10,000 websites have been compromised since last week to take advantage of the security flaw, said antivirus software maker Trend Micro.

The websites have been mostly serving up programs that steal computer game passwords, but the flaw could be “adopted by more financially motivated criminals”, a Trend Micro security researcher said on Monday.

PC Pro magazine’s security editor, Darien Graham-Smith, said that there was a virtual arms race going on, with hackers always on the look out for new vulnerabilities.

“The message needs to get out that this malicious code can be planted on any web site, so simple careful browsing isn’t enough.”

“It’s a shame Microsoft have not been able to fix this more quickly, but letting people know about this flaw was the right thing to do. If you keep flaws like this quiet, people are put at risk without knowing it.”

“Every browser is susceptible to vulnerabilities from time to time. It’s fine to say ‘don’t use Internet Explorer’ for now, but other browsers may well find themselves in a similar situation,” he added.

Source: BBC News – http://news.bbc.co.uk/1/hi/technology/7784908.stm

Other browsers:

• Firefox
• Opera
• Chrome
• Safari