Elizabeth Weise

USATODAY

SAN FRANCISCO — Microsoft issued a fix on Thursday for a security flaw in Internet Explorer that led the Department of Homeland Security to suggest users change browsers until the problem was solved.

The fix updates the computers of all users of the Windows operating system who have automatic updates turned on, the company said on its security response page.

For those that don't have the updates enabled, "now is the time," wrote Dustin Childs, with the response communications team at Microsoft.

To turn it on, users should click on the "Check for Updates" button on the Windows Update portion of the Control Panel.

"For those manually updating, we strongly encourage you to apply this update as quickly as possible following the directions in the released security bulletin," Childs said.

The fix is surprising because it also includes code for the Windows XP operating system, which Microsoft officially stopped supporting on April 8.

Because the security flaw came to light so close to the end of Microsoft support of the still-popular operating system, the decision was made to aid consumers, said Adrienne Hall, general manager with the company's Trustworthy Computing section.

"Of course, we're proud that so many people loved Windows XP, but the reality is that the threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade," she said.

"This is why we've been encouraging Windows XP customers to upgrade to a modern, more secure operating system like Windows 7 or Windows 8.1," she said.

The Internet Explorer security flaw allows hackers to get around security protections in the Windows operating system. A computer can then be infected when the user visits a compromised website.

The security update was pushed out to consumers' computers through a function in the Windows operating system called Windows Update.

The fix is coming outside of Microsoft's usual monthly security update cycle, said Hall.

"The security of our products is something we take incredibly seriously, so the news coverage of the last few days about a vulnerability in Internet Explorer has been tough for our customers and for us," she wrote on a Microsoft tech blog.

"This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers. So we did."

That's a big deal, said Trey Ford, a strategist with Rapid7, a Boston-based computer security firm.

"Major vendors like Microsoft, Oracle, Adobe and others have highly structured software-testing workflows that are expensive in terms of time and resources," he said. "To interrupt a scheduled development cycle for an emergency patch, or 'out of band' release, is a noteworthy event, where a vendor is placing the public good ahead of their development and delivery life cycle."

The security flaw was first publicized on Saturday by FireEye, a Milpitas, Calif.-based computer security company. They observed a known hacking group launching "spearfishing attacks" against some of their customers, said Darien Kindlund, director of threat research.

Someone within the targeted company would get an e-mail with a link to a website the attackers controlled (the spear thrown to the fish.) "The victim would click on the link, and simply by going to the page, their system would be compromised," Kindlund said.

The attacks appeared to have been mainly done for industrial espionage, targeting intellectual property or corporate secrets, Kindlund said.

Because of that, it appears the group wasn't interested in the computers of regular consumers.

However, in many such cases, the computer code necessary to carry out the attack is dispersed relatively quickly to less sophisticated groups simply looking to steal credit card information.

Because Microsoft released its patch so quickly, that doesn't appear to have had time to happen, Kindlund said.