Tuesday, for the first time this year, Microsoft released out-of-band patches to repair what it considers critical vulnerabilities in the Internet Explorer Web browser.
To assist IT professionals from being overwhelmed by the testing and deployment of security fixes, Microsoft had implemented a system of releasing patches once a month to facilitate better planning. Only when it feels a flaw is critical -- meaning it can be exploited remotely, without user intervention -- does the company issue what it calls an out-of-band release. In this case, users can open themselves up to an attack by simply viewing a malicious Web page.
While Microsoft lists the various versions of Internet Explorer, running on specific operating systems, it is clearly safe to say that anyone using any version of the Web browser on versions of Windows 2000 or later, is vulnerable. Additionally, patches are being released for holes in the Visual Studio Active Template Library (ATL).
A company spokesman stated that users who are up-to-date with patches are protected against these flaws, which leads us to ask, why release these critical updates? From what we can tell, the answer might be what Microsoft is calling a new defense-in-depth technology.
Apparently, this defense-in-depth technology is designed to protect users of IE from potential future attacks using the ATL vulnerabilities. In other words, the problem is really twofold. There is flaw is in the code developers use to create some Web sites, but there is also a hole in the browser that will allow the attack through. Defense-in-depth fixes the browser's flaw so users don't have to rely on developers repairing the problem on the back-end.
While Microsoft is to be commended for taking such an aggressive approach to relieving this potential nightmare for users, let's not lose sight of the fact that the out-of-band release is more likely to prevent a public relations nightmare than anything else. It is amazing that security holes of this nature are still being discovered in browsers going back three versions from the current. Especially one so serious as to warrant a response this drastic. And to think, we were just starting to feel safe with IE 6 on XP.
Leave a comment below and join our community at community.crn.com to let us know what you think.
SHARE THIS ARTICLE
