Microsoft readies emergency fix for Internet Explorer bug

Share this article:
Microsoft announced on Tuesday that it will issue an emergency fix on Wednesday for a dangerous zero-day vulnerability in Internet Explorer (IE).

The software giant expects to release the patch at 1 p.m. EST on Wednesday.

The vulnerability, announced last Wednesday, involves a data-binding issue and affects all supported versions of Microsoft's web browser. So far, however, Microsoft is only aware of in-the-wild attacks against IE7, said Christopher Budd, security program manager at Microsoft.

The company said it took immediate action to remedy the bug, updating its advisory on five different occasions to provide workaround guidance and ultimately pushing out a fix in just over a week.

"In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days," Budd said.

Microsoft malware analysts reported over the weekend that they were witnessing a significant ramp-up in websites hosting the exploit. Most of the sites were based overseas, particularly in Asia, but researchers estimated that some 0.2 percent of IE users worldwide had surfed to compromised web pages.

In an SC Magazine podcast recorded on Monday, researcher Fred Doyle of iSIGHT Partners called this vulnerability one of the "worst" he has seen, partly because of the readily available exploit code and ease of exploit construction.

This marks the second out-of-band security patch to be released by Redmond this year. In October, the company pushed out an emergency fix for a Windows Server Service vulnerability that was being leveraged to conduct targeted attacks.

Microsoft also released an out-of-band bulletin in April 2007 to correct potentially devastating flaws in the way Windows handles ANI files. In 2006, Microsoft issued an earlier-than-scheduled fix for a Windows Metafile (WMF) flaw.

Microsoft is planning webcasts at 4 p.m. EST Wednesday and Thursday so end-users can learn more about the latest patch.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.