Microsoft patches Iframe vulnerability

Microsoft Corp has broken with its usual monthly security patch release cycle to issue a fix for the so-called Iframe vulnerability that hackers have been using to compromise Windows PCs for about a month.

The patch is critical and Internet Explorer 6 users should install it immediately, Microsoft advised in an alert accompanying the patch. Attackers, Microsoft acknowledged, are known to be exploiting the bug.

An attacker could exploit this vulnerability by creating a malicious web page and persuading the user to visit the page, the company warned. The attacker could run code of his choice on the compromised machines.

The vulnerability has been known publicly since at least October 24. Exploit code was released quickly and merged with MyDoom worm code to create a new worm family, Bofra, which hit the wild within about two weeks.

Malicious hackers also used the exploit as part of a multi-level attack that hit unprotected Windows PCs via banner ads served up by a number of major European web sites. Windows versions before XP Service Pack 2 were vulnerable.

It’s good that Microsoft decided to release this outside of its regular release cycle, said Mike Murray, director of research at nCircle Network Security Inc, who often works with Microsoft while patches are created for vulnerabilities nCircle has found.

This is the second time Microsoft has broken from its monthly patch cycle to issue an update that addresses a zero-day vulnerability.

This time, it was about 38 days between vulnerability disclosure and patch release. Some security researchers think that is too long, but others believe it’s a reasonable period considering the size of Microsoft and the size of the Windows source code.

38 days from finding out to patching in a big software enterprise is not that long, but it’s a long time for the people out there who have to sit through the attacks, said Murray. Better now than two weeks from now, but better two weeks ago than today.

The time it takes to deliver an update is really a function of quality, a Microsoft spokesperson said. Security response requires a balance between time and testing, but Microsoft will only release an update, that is as well engineered and thoroughly tested as possible – whether that is a day, week, month or longer.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing