Microsoft readies emergency fix for Internet Explorer bug

Share this article:
Microsoft announced on Tuesday that it will issue an emergency fix on Wednesday for a dangerous zero-day vulnerability in Internet Explorer (IE).

The software giant expects to release the patch at 1 p.m. EST on Wednesday.

The vulnerability, announced last Wednesday, involves a data-binding issue and affects all supported versions of Microsoft's web browser. So far, however, Microsoft is only aware of in-the-wild attacks against IE7, said Christopher Budd, security program manager at Microsoft.

The company said it took immediate action to remedy the bug, updating its advisory on five different occasions to provide workaround guidance and ultimately pushing out a fix in just over a week.

"In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days," Budd said.

Microsoft malware analysts reported over the weekend that they were witnessing a significant ramp-up in websites hosting the exploit. Most of the sites were based overseas, particularly in Asia, but researchers estimated that some 0.2 percent of IE users worldwide had surfed to compromised web pages.

In an SC Magazine podcast recorded on Monday, researcher Fred Doyle of iSIGHT Partners called this vulnerability one of the "worst" he has seen, partly because of the readily available exploit code and ease of exploit construction.

This marks the second out-of-band security patch to be released by Redmond this year. In October, the company pushed out an emergency fix for a Windows Server Service vulnerability that was being leveraged to conduct targeted attacks.

Microsoft also released an out-of-band bulletin in April 2007 to correct potentially devastating flaws in the way Windows handles ANI files. In 2006, Microsoft issued an earlier-than-scheduled fix for a Windows Metafile (WMF) flaw.

Microsoft is planning webcasts at 4 p.m. EST Wednesday and Thursday so end-users can learn more about the latest patch.


Share this article:

Sign up to our newsletters

More in News

Facebook scam leads victims to Nuclear exploit kit

Researchers at Symantec say attackers are becoming more aggressive and using Facebook scams to exploit users' computers.

eBay faces class-action suit over breach

eBay faces class-action suit over breach

A suit filed in a federal court in Louisiana charges the company with failing to protect personal information and seeks damages on multiple counts.

Five schools earn NSA's excellence in cyber ops distinction

The schools earned NSA's Centers for Academic Excellence designation for their cyber offerings.