The blowback from GoogleÃ¢â‚¬â„¢s threat to leave ChinaÃ‚Â continues to escalate like a hyper-ventilated episode of Law & Order.

Microsoft has just announced that it will issue an emergency patch — something it rarely does Ã¢â‚¬â€œ to staunch the Internet Explorer security hole implicated in recent data-stealing cyberattacks against Google, Adobe, Jupiter and dozens of other companies.

UPDATE: Microsoft has just announced that the patch will be released at 10 a.m. Pacific time, on Thursday, 21Jan2009.

Despite mounting evidence to the contrary, the software giant continues to downplay the extent to which this latest in a long, long line of IE zero-day vulnerabilities is being used in the wild well before a patch is available.

In this blog post, George Stathakopoulos, Microsoft’s general manager trustworthy computing security, claims Microsoft has seen only Ã¢â‚¬Å“very limited, and in some cases, targeted attacksÃ¢â‚¬Â linked to this IE zero-day flaw.

High urgency

Ã¢â‚¬Å“To date, the only successful attacks that we are aware of have been against Internet Explorer 6,Ã¢â‚¬Â he says.

And yet Stathakopoulos, at the same time, has signaledÃ‚Â high urgency to get this patch out and widely installed. Microsoft is not waiting until it’s next Patch Tuesday — Feb. 9 — the next scheduled date for issuing security updates. And it is going public about the patch even before it has ascertained how long it will take to finish designing Ã¢â‚¬â€œ and testing.

Stathakopoulos indicates that Microsoft won’t know until tomorrow, 20Jan2010, at the earliest, just how long it will take to finish up design and testing of the patch. It is planning to issue a press release sometime on Wednesday revealing when the patch will be ready.

“Quality assurance testing for (an update to) something as complicated as Internet Explorer is a gargantuan task,” says Chet Wisniewski, security analyst at Sophos. “They need to make sure the patch doesn’t break anything in Windows before they can release it.”

This is all part of the fast-evolving fall-out of Google grabbing a high-level of public attention about an otherwise routine cyber espionage assault. By threatening to pull out of China, Google has, for the moment, elevated the security discussion to a level that the problem warrants.

Plot thickens

Over the past nine days the plot has thickened at high velocity. Here’s a chronology:

6 p.m. EST,Ã‚Â Tuesday, 11Jan2010. Google issues a press release timed to miss the network TV news cycle. The search giant says it Ã¢â‚¬Å“may wellÃ¢â‚¬Â leave China because of cyberattacks and censorship.

Thursday, 14Jan2010. McAfee discloses that Google and some 30 other companies were targeted by a spear phishing campaign, dubbed Operation Aurora. The attackers tricked specific employees to click on a bad link, accessing a heretofore unknown security hole in IE6, an older version of Microsoft’s popular Web browser, to take over control of the PC.

Thursday, 14Jan2010. President Obama convenes 50 CEOs to hear him deliver a speech on modernizing government tech systems. Among them: Microsoft CEO Steve Ballmer, wearing a patriotic red-white-and-blue tie. After ObamaÃ¢â‚¬â„¢s speech, CNBC reporter Maria Bartiromo appears to catch Ballmer a bit off guard in a live interview. In the midst of a string of predictable questions, Bartimoro asks Ballmer about IE’s complicity in the Google cyber attacks, as disclosed by McAfee just a few hours earlier. Ballmer pauses slightly, thinking on his feet.Ã‚Â He tells Bartimoro:Ã‚Â “Cyber attacks and occasional vulnerabilities are a way of life. If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet.”

Friday, 15Jan2009. Metasploit researcher HD Moore reveals how the new, unpatched IE security flaw could be exploited on IE7 and IE8, the latest versions of Microsoft’s popular Web browser. Moore, the mastermind behindÃ‚Â Month of Apple Bugs, is a self-styled good-guy hacker who believes in holding vendors’ feet to the fire, forcing them to take full responsibility for security flaws in their commercially- sold products. In this case, it worked. “Microsoft is afraid that if it only took researchers a day or two to figure this out, it will take the bad guys a couple more days to do the same thing,” says Sophos analyst Wisniewski.

Friday, 15Jan2010, the German government issues a warning advising its citizens to find an alternative to Internet Explorer.

Monday, 18Jan2010, the French and Australian government issue warnings not to use IE.

Tuesday,Ã‚Â 19Jan2010. Microsoft announces an IE patch is in the works. Within an hour of MicrosoftÃ¢â‚¬â„¢s announcing the patch, Falguni Bhuta, communications manager, for Olso, Norway-based Opera Software contacts LastWatchdog to announce that downloads of its rival Opera Web browser has doubled in Germany and risen 35 percent in Australia. “Security issues continue to plague Internet Explorer users, and the latest recommendations from the German and French governments against using the browser are in line with what the security experts have been saying for years,Ã¢â‚¬Â says Jan Standal, Opera’s vice president of desktop products.

By Byron Acohido

The blowback from GoogleÃ¢â‚¬â„¢s threat to leave China because of cyberattacks and censorships continues to escalate. Microsoft has just announced that it will issue an emergency patch — something it rarely does Ã¢â‚¬â€œ to staunch the Internet Explorer security hole implicated in recent data-stealing cyberattacks against Google, Adobe, Jupiter and dozens ofÃ‚Â other companies. Despite mounting evidence, the software giant continues to downplay the extent to which this latest in a long, long line of IE zero-day vulnerabilities is being used in the wild well before a patch is available. In this blog post, George Stathakopoulos, Microsoft’s general manager trustworthy computing security, claims Microsoft has seen only Ã¢â‚¬Å“very limited, and in some cases, targeted attacksÃ¢â‚¬Â linked to this IE zero-day flaw. Ã¢â‚¬Å“To date, the only successful attacks that we are aware of have been against Internet Explorer 6,Ã¢â‚¬Â he says. And yet Microsoft is, at the same time, signaling high urgency. It will not wait until it’s next Patch Tuesday — Feb. 9 — the next scheduled date for issuing security updates. And it is going public about the patch even before it has ascertained how long it will take to finish designing Ã¢â‚¬â€œ and testing. Stathakopoulos indicates that Microsoft won’t know until tomorrow, 20Jan2010, at the earliest, Ã‚Â just how long it will take to finish up design and testing of the patch. It is planning to issue a press release sometime on Wednesday revealing when the patch will be ready. “Quality assurance testing for (an update to) something as complicated as Internet Explorer is a gargantuan task,” says Chet Wisniewski, security analyst at Sophos. “They need to make sure the patch doesn’t break anything in Windows before they can release it.” This is all part of the fast-evolving fall-out of Google grabbing a high-level of public attention about an otherwise routine cyber espionage assault. By threatening to pull out of China, Google has, for the moment, elevated the security discussion to a level that the problem warrants. The has thickened like a hyper-ventilated episode of Law & Order. At 6 p.m., last Tuesday, 11Jan2010, Google sends a press release out timed to miss the TV network news cycle. The search giant says it Ã¢â‚¬Å“may wellÃ¢â‚¬ÂÃ‚Â leave China because of cyberattacks and censorship. On Thursday, 14Jan2010, McAfeeÃ‚Â discloses that Google and some 30 other companies were targeted by a spear phishing campaign, dubbed Operation Aurora. The attackers tricked specific employees to click on a bad link, accessing a heretofore unknown security hole in IE6, an older version of Microsoft’s popular Web browser, Ã‚Â to take over control of the PC. Co-incidentally, also on Thursday, 14Jan2010, President Obama convenes tech execs from around the globe to hear him deliver a speech on modernizing the Internet. Among them: Microsoft CEO Steve Ballmer, wearing a patriotic red-white-and-blue tie. After ObamaÃ¢â‚¬â„¢s speech, CNBC reporter Maria Bartiromo appears to catchÃ‚Â Microsoft BallmerÃ‚Â a bit off guard Ã‚Â in a live interview. In the midst of a string of predictable questions Bartimoro asks Ballmer aboutÃ‚Â IE’s complicity in the Google cyber attacks, as disclosed by McAfee just a few hours earlier. Ballmer answers: Cyber attacks and occasional vulnerabilities are a way of life.Ã‚Â If the issue is with us, we’ll work through it with all of the important parties. We have a whole team of people that responds very real time to any report that it may have something to do with our software, which we don’t know yet. The very next day,Ã‚Â Friday,Ã‚Â 15Jan2009, Metasploit researcher HD Moore reveals how the new, unpatched IEÃ‚Â security flaw could be exploited on IE7 and IE8, the latest versions of Microsoft’s popular Web browser. “Microsoft is afraid that if it only took researchers a day or two to figure this out, it will take the bad guys a couple more days to do the same thing,”Ã‚Â says Wisniewski. The concern was shared by government leaders. On Friday, 15Jan2010, the German government issued a warning advising its citizens to find an alternative to Internet Explorer, and by Monday, 18Jan2010, the French and Australian government followed suit. Then today, 19Jan2010, within an hour of MicrosoftÃ¢â‚¬â„¢s announcing the patch, Falguni Falguni Bhuta, communications manager, for Olso, Norway-basedÃ‚Â Opera Software contacted LastWatchdog to announce that downloads of its rival Opera Web browser has doubled in Germany and risen 35 percent in Australia. Just wanted to point out some of these numbers to you, thought it

would be interesting fodder for a story on IE security issues. Also

here is a statement from Jan Standal, Opera’s VP Product, Desktop. “Security issues continue to plague Internet Explorer users, and the

latest recommendations from the German and French governments against

using the browser are in line with what the security experts have been

saying for years,Ã¢â‚¬Â says Jan Standal, Opera’s vice president of desktop products.

January 19th, 2010 | For consumers | Imminent threats