Microsoft has released its scheduled security patches
for April, including one designed to address an unpatched bug in
the Internet Explorer browser that had been exploited for a number
of weeks.
In all, the company released five patches to address critical
vulnerabilities in Explorer and other elements of Windows.
The Explorer patches include a fix for a vulnerability that malware
writers had exploited by tricking users into visiting sites that
took advantage of the bug, which then downloaded unauthorised
software onto their PCs.
Security suppliers eEye Digital Security and Determina had already
taken advantage of Microsoft’s inaction to create patches to
address the vulnerability, resulting in hundreds of thousands of
downloads by worried consumers.
Microsoft also released patches for a similarly critical
vulnerability in the way Windows Explorer handles Component Object
Model objects and for a vulnerability in an ActiveX control called
RDS.Dataspace, which is distributed with the Microsoft Data Access
Components.
Microsoft has taken flak over its decision to wait until its
scheduled update before issuing a patch. Time will tell how
effective – or mistaken – that strategy will prove to be.