Microsoft Patches IE Flaw Used in Google Hacking

A critical security flaw in Internet Explorer 6 played a role in the hacking of many top tech firms, including Google, which lead to the current drama between the U.S. search giant and China.

Microsoft yesterday released the update that should patch the hole in Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. Those who have Automatic Updates enabled should be able to find the update through that means, otherwise it can be downloaded here.

Interestingly, Kaspersky Labs Threatpost reports that Microsoft learned of this security hole back in September 2009 and planned for a patch in February 2010, but the company had to accelerate its plans in light of the recent hacking of Google.

Marcus Yam
Marcus Yam served as Tom's Hardware News Director during 2008-2014. He entered tech media in the late 90s and fondly remembers the days when an overclocked Celeron 300A and Voodoo2 SLI comprised a gaming rig with the ultimate street cred.
  • SAL-e
    Security by obscurity Security.
    When we are going to learn the lesson? Probably never!
    In this case I am more mad at Kaspersky for keeping quiet for more then 3 months. They just enter into my black list.
    Reply
  • edilee
    Why are "top tech firms" still using Internet Explorer 6 LOL. Guess they still using 386 machines too?
    Reply
  • JD13
    Systems administrator asleep at the wheel...
    Is it better to find the flaw & report it right away or wait until you have a patch then tell everyone?
    Reply
  • ethanolson
    Microsoft said everyone should ditch IE6. Listen to them!
    Reply
  • gpfear
    and this flaw affected IE7 and IE8
    Reply
  • Milleman
    Appearently all IE are affected and should be handled withcare.
    Reply
  • maximus20895
    Yet another reason with Firefox wins and IE is horrible.

    Interestingly, Kaspersky Labs Threatpost reports that Microsoft learned of this security hole back in September 2009 and planned for a patch in February 2010

    So let me get this straight, They knew about it in September, but purposely put it off until four months later? Why wouldn't the fix the flaw ASAP?
    Reply
  • dravis12
    SAL-eSecurity by obscurity Security.When we are going to learn the lesson? Probably never!In this case I am more mad at Kaspersky for keeping quiet for more then 3 months. They just enter into my black list.
    It doesn't say that Kaspersky knew that there was a problem in September, only that Microsoft was aware of it. How is that Kaspersky's fault?
    Reply
  • SAL-e
    dravis12It doesn't say that Kaspersky knew that there was a problem in September, only that Microsoft was aware of it. How is that Kaspersky's fault?Ok. My assumptions were:
    1. Kaspersky found the bug.
    2. Kaspersky privately reported the problem to MS.
    3. MS and Kaspersky, using security by obscurity, took more then 3 months to release the knowledge and fix for the problem.
    If you read the MS security bulletins as I do you will notice that more then 80% of the problems are privately reported to MS and only small part of them are discovered by internal audit. That is why I made those assumptions.
    But I see your point. From the information provided by the article there is other possibility that Kaspersky learned about the problem from MS and they are out raged that MS took more then 3 months to fix the problem.

    Thank you for correcting me.
    Reply
  • spectrewind
    ethanolsonMicrosoft said everyone should ditch IE6. Listen to them!
    As has been pointed out in many other threads, not every business has the money/man-power to just deploy software updates like this. In a production environment where IE6 is supported for web interfaces, but IE7 (or higher) are not, it makes more sense to continue using IE6 with a few expected infections than to pull everyone forward to the current IE and cause a web-based application to cease to work.

    Some will point out that the web application should be upgraded. Again, planning, money, and man-power decide this, and it generally needs to be tested prior to roll-out.

    Dealing with on-occurrance virus infections is easier, given this, when you can just re-image a machine from a known-good config.
    Reply