Microsoft to release out-of-cycle patch for "critical" flaws

After issuing a stopgap patch on Wednesday for a vulnerability that could allow attacks through its Internet Explorer (IE) browser, Microsoft announced that it will release an update to repair five flaws, including a new zero-day vulnerability.

The bugs affect IE 9 and earlier versions, and if exploited are capable of taking command of Windows PCs to infect them with malware.

Microsoft said it plans to release the fix as close as possible to 10 a.m. PDT on Friday.

As explained in Microsoft Security Advisory (2757760) released on Monday, the "remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated." The flaw could corrupt memory and allow an attacker to execute arbitrary code.

According to a blog post by Yunsun Wee, director of Trustworthy Computing for Microsoft, the vulnerabilities affected a small number of customers.

"The potential exists, however, that more customers could be affected," he wrote.

The fix will be available through Windows Update and the company recommends users install it as soon as it is available. Users with automatic updates enabled on their PC won't need to take any action.

Microsoft has been communicating with users on the issue all week, Andrew Storms, director of security operations for nCircle, wrote in an email to SCMagazine.com Thursday.

"Even if you think there are a lot of things Microsoft can improve, they are light years ahead of other vendors in providing clear, consistent, valuable communication to their users on security issues," he said.

Microsoft said that Friday's fix covers "other issues as well."