Microsoft Patches Browser Security Hole

After a scary couple of days, Microsoft has patched a "critical" vulnerability in its Internet Explorer Web browser.

A previously unknown flaw, primarily in Internet Explorer 7, permitted "drive-by downloads" of viruses and other malicious software (or "malware") embedded in hidden code on popular Web sites.

The "zero-day" vulnerability, which came to light last week, allowed criminals to take over victims' machines simply by steering them to infected Web sites; users wouldn't have to download anything for their computers to get infected, which made the IE 7 flaw so dangerous.

Microsoft posted the fix Wednesday afternoon; users who have automatic updates turned on will receive it over the next 24 hours.

• Click here to download the patch manually; make sure you get the one for your specific operating system and browser.

• Click here to visit's Cybersecurity Center.

Until you are sure your system is patched, it might be best to use alternative browsers, such as Mozilla Firefox, Google's Chrome, Opera or even Apple's Safari, which has had its own security problems. Like Internet Explorer, all are free downloads.

As many as 10,000 sites have been compromised since last week to exploit the browser flaw, according to antivirus software maker Trend Micro Inc. Operators of Web sites usually have no idea they've been infected.

The sites are mostly Chinese and have been serving up programs that steal passwords for computer games, which can be sold for money on the black market.

However, the hole is such that it could be "adopted by more financially motivated criminals for more serious mayhem — that's a big fear right now," Paul Ferguson, a Trend Micro security researcher, said Monday.

Microsoft stressed that the flaw was proven to exist only in IE 7 on all applicable versions of Windows, but that IE 6 and the "beta" release of IE 8 were "potentially vulnerable."

The patches apply to all currently supported versions of IE on all currently supported versions of Windows.

Microsoft's immediate reaction was to detail a complicated sets of workarounds that mitigated the vulnerability; the first step anyone needed to take was to set the "Internet zone security setting" to "high."

"Zero-day" vulnerabilities like this are a gold mine for criminals because users have few ways to fight off attacks.

Microsoft rarely issues security fixes for its software outside of its regular second-Tuesday monthly updates. The company last did it in October, and a year and half before that.