Microsoft Corp urged Windows users on Monday to install a free piece of security software to protect PCs from a newly discovered bug in the Internet Explorer browser.
The security flaw, which researchers say could allow hackers to take remote control of an infected PC, affects Internet Explorer browsers used by hundreds of millions of consumers and workers. Microsoft said it will advise customers on its website to install the security software as an interim measure, buying it time to fix the bug and release a new, more secure version of Internet Explorer.
The free security tool, which is known as the Enhanced Mitigation Experience Toolkit, or EMET, is available on Microsoft’s website: http://bit.ly/Kv497S
Eric Romang, a researcher in Luxembourg, discovered the flaw in Internet Explorer on Friday, when his PC was infected by a piece of malicious software known as Poison Ivy that hackers use to steal data or take remote control of PCs.
When he analyzed the infection, he learned that Poison Ivy had gotten on to his system by exploiting a previously unknown bug, or "zero-day" vulnerability, in Internet Explorer.
Full security advisory is here and only IE 7, 8, and 9 on Windows XP, Windows Vista and Windows 7 are known to be at risk. Internet Explorer 10 is apparently not a problem.
Frankly, EMET isn’t a magic shield and it’s a tool that only geeks can love. The bottom line from the above article:
Dave Marcus, director of advanced research and threat intelligence with Intel Corp’s McAfee security division, said it might be a daunting task for home users to locate, download and install the EMET tool.
"For consumers it might be easier to simply click on Chrome," Marcus said.
Business users will have their own problems with it too.
Late last Friday, the European Competition Commission revealed that they are assessing a new Microsoft offer to resolve their browser competition complaint. Instead of Microsoft’s earlier plan to ship no Web browser at all with Windows 7 in the EU, Microsoft has offered to provide EU users of Windows XP and Vista as well as Windows 7 with a "ballot screen" with download links for the 5 most popular alternative browsers.
There are more details in the attachments to the Microsoft press release describing the proposal, but the basic idea is to provide current and easy download and installation links for the Web illiterate who can’t manage to find them on their own. Congratulations to Microsoft for trying to sidestep the black hole of actually shipping third party code. The EU seems to have a much more positive view of this proposal than the "no browser" plan, so Microsoft may actually get away with it.
In case you wondering, Microsoft’s "no browser in EU versions of Windows 7" plan is still the plan of record until the European Commission accepts this new offer.
Getting far less press, but also significant was that Microsoft is also offering more interoperability information for its software including Windows, Windows Server, Office, Exchange, and SharePoint. That is spelled out in the attachments to the press release too and takes two forms:
The latter is apparently intended to address the second part of Opera’s original EU browser complaint that Internet Explorer was noncompliant with Web standards. It will be interesting to see whether this part of Microsoft’s offer will satisfy the Eurocrats, but I would bet that documentation of noncompliance will not be enough.
I also wonder whether "trustbusters" in the USA and elsewhere outside Europe might not also want to jump on the bandwagon and ask for the same terms as whatever settlement is reached in Europe.
Microsoft today released Internet Explorer 8 (IE8):
Today Microsoft Corp. announced the availability of Windows Internet Explorer 8, the new Web browser that offers the best solution for how people use the Web today. It can be downloaded in 25 languages at http://www.microsoft.com/ie8 starting at noon EDT on March 19. Internet Explorer 8 is easier to use, faster and offers leading-edge security features in direct response to people’s increasing concerns about online safety.
I have largely abandoned Internet Explorer in favor of Firefox and Chrome except for checking my websites to see how they render in IE because it still holds 70% of the browser market. The primary problem with IE7 was that it was a lumbering behemoth and the early reviews indicate that while IE8 is better, it is still not competitive:
But, in my tests, IE8 wasn’t as fast as Firefox, or two other notable browsers — the Windows version of Apple’s (AAPL) new Safari 4 and Google’s (GOOG) Chrome. IE8 loaded a variety of pages I tested more slowly than any of the other browsers, and it grew sluggish when juggling a large number of Web pages opened simultaneously in tabs.
Firefox also has a vibrant community of 3rd party add-ons which Internet Explorer lacks.
As for the Web site rendering, I am sure that there will be complaints about IE8 standards compliance, but the biggest immediate problem will likely be the Web sites coded to take advantage of past Internet Explorer peculiarities. To ease the withdrawal pains Microsoft has implemented a "IE7 compatibility mode" in IE8 which is triggered in various ways:
Try explaining that to your aged relatives. In the end, IE8 standards mode is just another browser that Web developers have to code and test for and it will happen eventually with hope springing eternal that it isn’t too much different than supporting Firefox.
So what’s the net? Internet Explorer 8 is a better browser than IE7 which is good news, but it isn’t a world beater.
Microsoft today released an emergency patch for Internet Explorer versions back to version 5.01 to fix a gaping security hole that was being exploited so massively that security experts were recommending that people stop using Internet Explorer entirely until it was fixed. Since the bad guys were exploiting it before Microsoft knew it existed, the exploit is termed "zero day" because that is how much notice Microsoft got of the problem. It is also termed an "drive-by" exploit since a user could pick up a malware infestation by merely using IE to browse any of thousands of compromised websites. In short, it was really nasty stuff.
This security update resolves a publicly disclosed vulnerability. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, and Internet Explorer 7. For information about Internet Explorer 8 Beta 2, please see the section, Frequently Asked Questions (FAQ) Related to This Security Update. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Recommendation. Microsoft recommends that customers apply the update immediately.
Aside from the table of download locations listed at the above link, the emergency patch is also available through Windows Update and Microsoft Update.