Share story

Microsoft on Thursday released a fix for an Internet Explorer (IE) vulnerability that had been exploited by cyber attackers and had led the U.S. government to recommend people use alternate browsers until Microsoft patched the problem.

Users who are running Windows with automatic updates enabled will not need to take any action, as the update will download and install automatically, Microsoft said in a security advisory issued Thursday.

Individuals who don’t have automatic updates enabled on their PCs can install the fix manually by clicking the “Check for updates” button in the Windows Update portion of in their Control Panel, according to a Microsoft blog post.

Corporate IT departments can find more details on how to install the update for their organizations in Thursday’s
security bulletin. Microsoft is hosting a webcast at 11 a.m. Friday geared toward answering questions from IT people about the fix.

This week, save 90% on digital access.

There’s good news for Windows XP users. Although Microsoft had said earlier that any security update would not apply to the nearly 13-year-old operating system, which Microsoft had stopped supporting last month, the company said Thursday that it had decided to issue the security update to Windows XP customers.

“Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today,” Adrienne Hall, general manager of Microsoft Trustworthy Computing, said in a blog post.

“We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately, this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

“The security of our products is something we take incredibly seriously,” Hall said. “This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers.”

The vulnerability, which affects IE versions 6 to 11, is a remote code-execution vulnerability, meaning cyber attackers could create a Web page and persuade users to view that Web page or attachment, which then allows the attackers to execute code on a machine without the victim knowing about it.

The problem was first discovered by cybersecurity firm FireEye Friday evening, which found active attacks exploiting the vulnerability on IE 9 to 11.

Microsoft posted an advisory with tips on workarounds on Saturday.

On Monday, the U.S. and U.K. governments issued recommendations for people to either implement the workarounds or use alternative browsers.

Janet I. Tu: 206-464-2272 or On Twitter @janettu.

Custom-curated news highlights, delivered weekday mornings.