Patched IE8 flaw used for targeted attacks, says Microsoft

News

Patched IE8 flaw used for targeted attacks, says Microsoft

Warwick Ashford

Microsoft says hackers have attacked some computers by exploiting a flaw in Internet Explorer 8 that was disclosed in May by a Google researcher.

Google security engineer Tavis Ormandy came under fire for publicising the flaw without telling Microsoft first, but the company was able to issue a patch in its June Patch Tuesday security update.

Microsoft provided few details about the attacks, but said hackers had exploited the flaw to carry out "targeted attacks", according to the Guardian.

Tavis Ormandy has clashed on several occasions with Microsoft, which encourages researchers to disclose flaws responsibly so attackers cannot exploit vulnerabilities before they are fixed.

In June 2010, Ormandy went public with a zero-day vulnerability in Windows XP and Windows Server 2003.

Ormandy published his advisory, including exploit code, just five days after reporting the vulnerability to Microsoft.

At the time, the Microsoft said reporting vulnerabilities directly to suppliers without further disclosure helped ensure customers receive high-quality updates before vulnerabilities are exploited.

However, the fact that the flaw is being exploited after the release of a security update highlights the importance of keeping all software up to date.

Failure to patch software applications exposes computer systems to attackers exploiting known vulnerabilities, research has shown.

Keeping software up to date with security patches can deliver 80% protection from cyber threats, Secunia research analyst Stefen Frie told attendees of Infosec Europe 2012 in London.

The best way for enterprise information security professionals to deal with the onslaught of malware is by applying enterprise software security updates as soon as possible, he said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy