Good news: Microsoft’s patch for the massive Internet Explorer vulnerability that exposed millions of Web users to surreptitious malware infections will automatically install during regularly scheduled or on-demand updates. Even better, Channel Insider testing of the patch found no major conflicts caused by the patch.
While an automatic IE patch may seem to exclude solution providers from fixing this security nightmare, the truth is the severity and pervasiveness of the vulnerability actually creates an opportunity for solution providers to talk with customers about their security practices and posture.
Security vendor Trend Micro discovered the vulnerability more than a week ago, almost immediately after Microsoft released one of its largest security updates on Patch Tuesday. The vulnerability allows malicious software—viruses, worms and Trojans—hidden on compromised or hostile Web sites to transparently download on to the host PC. Trend Micro reported on Tuesday that more than 6,000 Web sites had been compromise to target the IE vulnerability.
At first, Microsoft claimed only IE 7, the latest installment in the Explorer line, was affected by the vulnerability and advised setting Security Zones to high. Further analysis revealed all IE versions suffered from the same vulnerability, prompting the out-of-cycle patch released Wednesday.
The IE patch, KB960714, will download and install whenever the automatic update is scheduled to retrieve new instructions from Microsoft.