Microsoft readies emergency fix for Internet Explorer bug

Share this article:
Microsoft announced on Tuesday that it will issue an emergency fix on Wednesday for a dangerous zero-day vulnerability in Internet Explorer (IE).

The software giant expects to release the patch at 1 p.m. EST on Wednesday.

The vulnerability, announced last Wednesday, involves a data-binding issue and affects all supported versions of Microsoft's web browser. So far, however, Microsoft is only aware of in-the-wild attacks against IE7, said Christopher Budd, security program manager at Microsoft.

The company said it took immediate action to remedy the bug, updating its advisory on five different occasions to provide workaround guidance and ultimately pushing out a fix in just over a week.

"In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days," Budd said.

Microsoft malware analysts reported over the weekend that they were witnessing a significant ramp-up in websites hosting the exploit. Most of the sites were based overseas, particularly in Asia, but researchers estimated that some 0.2 percent of IE users worldwide had surfed to compromised web pages.

In an SC Magazine podcast recorded on Monday, researcher Fred Doyle of iSIGHT Partners called this vulnerability one of the "worst" he has seen, partly because of the readily available exploit code and ease of exploit construction.

This marks the second out-of-band security patch to be released by Redmond this year. In October, the company pushed out an emergency fix for a Windows Server Service vulnerability that was being leveraged to conduct targeted attacks.

Microsoft also released an out-of-band bulletin in April 2007 to correct potentially devastating flaws in the way Windows handles ANI files. In 2006, Microsoft issued an earlier-than-scheduled fix for a Windows Metafile (WMF) flaw.

Microsoft is planning webcasts at 4 p.m. EST Wednesday and Thursday so end-users can learn more about the latest patch.


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Report: Stolen card data is crime that concerns Americans most

A recent Gallup Crime poll indicates that Americans' top two worries revolve around having credit card data stolen or their computer or smartphones compromised.

Pirate Bay co-founder found guilty for hacking IT service provider

Gottfrid Svartholm Warg was found guilty of hacking an IT service provider in Denmark. This is his second court case for illegally accessing data.

Assume Drupal 7 sites are compromised, unless patched or updated to 7.32 ...

Assume every Drupal 7 website is compromised, unless patched or updated to Drupal 7.32 within seven hours of the disclosure of a highly critical SQL injection vulnerability.