Microsoft pushes emergency browser fix for 10 bugs

Microsoft on Tuesday pushed out an emergency patch for a publicly known Internet Explorer (IE) vulnerability that has faced increasing exploits in recent days.

The flaw, which can permit the execution of remote code, affects only IE 6 and 7, not the latest version (IE 8) of the popular web browser, according to a Microsoft advisory posted earlier this month. A fix was scheduled for April 13, but was fast-tracked "due to growing attacks," Jerry Bryant, Microsoft's group manager for response communications, said in a blog post.

Tuesday's rare, out-of-band patch — Microsoft typically only releases security updates on the second Tuesday of each month — also resolves nine other bugs, none of which were publicly known prior to Tuesday. But experts do expect attackers to now reverse engineer the patch details to create fresh exploits.

Three of the nine newly announced vulnerabilities affect IE 8. However, just one of the flaws warranted "critical" status across all versions of IE.

"I assume that basically what happened is the fix for the first vulnerability allows criminals to understand or gain information about the other vulnerabilities, so they had to release it all at once," Mickey Boodaei, CEO of internet security firm Trusteer, told SCMagazineUS.com on Tuesday.