Microsoft on Thursday bowed to pressure from security experts and published an official patch to correct one of the biggest-ever security holes in its Windows operating system five days earlier than expected.

The flaw, which was discovered last week, put millions of Windows computers, which account for about 90 per cent of PCs worldwide, at risk of infection by spyware or viruses.

Mike Nash, vice president of Microsoft’s security division, said conversations with customers contributed to the company’s decision to accelerate the release of the patch.

“While we would always like to have more time, we are confident in the quality of the update,” Mr Nash wrote on Microsoft’s security centre weblog.

Microsoft had planned to wait until January 10 to publish the official fix in its monthly security bulletin. Those plans, which were in line with the company’s normal practice, drew criticism from computer users and security experts, who said that leaving a hole in Windows’s security defences would leave millions of computers vulnerable to attack.

The new vulnerability was considered particularly dangerous because, unlike traditional attacks, which require victims to download or execute a suspect file, most users’ computers could be infected simply by viewing a website, e-mail or instant message that contained a virus-laden image.

“Everybody was hoping they would get the patch out before a major attack would start,” said Mikko Hypponen, chief research officer at F-Secure, a Finnish anti-virus company. “Now it looks like they succeeded.”

The timing of the first attacks, which occurred during the quiet period between Christmas and New Year’s Day, raised concerns that corporate IT systems could be left particularly vulnerable.

Those concerns were compounded on December 31, when a group of hackers published the source code they used to exploit the vulnerability – a move that provided malicious programmers with an easy way to launch their own attacks.

Microsoft said that although it continued to monitor hackers seeking to exploit the security hole, attacks so far had been limited. Mr Nash urged business customers to deploy the patch as quickly as possible.

Get alerts on F-Secure Oyj when a new story is published

Copyright The Financial Times Limited 2021. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Comments have not been enabled for this article.