Microsoft announced Tuesday afternoon that it plans to release an emergency patch for the Internet Explorer (IE) vulnerability that has been leveraged in recent attacks on Google and other high-profile companies.
The unusual move by the software giant — Microsoft last released an out-of-band fix over the summer — speaks to the severity of the threat, which uses sophisticated malware to hijack intellectual property on behalf of Chinese hackers.
“Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment, Microsoft will release a security update out of band for this vulnerability,” said George Stathakopoulos, general manager of Microsoft’s Trustworthy Computing Security, in a blog post on Tuesday. “We take the decision to go out of band very seriously given the impact to customers, but we believe releasing an out-of-band update is the right decision at this time.”
Microsoft plans to announce Wednesday when it will release the fix.
So far, Microsoft is only aware of successful exploits against IE 6 in “very limited, and in some cases, targeted attacks,” and users are encouraged to update to IE 8, which offers mitigations against the vulnerability, Stathakopoulos said. The mitigating factors were described in an advisory released last week.
Attempted attacks against other versions of the web browser may not be too far off. On Monday, Jerry Bryant, a senior security program manager at Microsoft, said the company is aware of reports that publicly available proof-of-concept code exists that exploits the bug on IE 7 running on Windows XP and Vista.
The emergency patch will come before Feb. 9, which is Microsoft’s next scheduled security update.
The trojan used in the espionage operation, codenamed Aurora, was known as Hydraq, according to a security firm Symantec.
“Based on the functionality of the trojan, we can safely surmise that the intent of the Trojan is to open a back door on a compromised computer allowing a remote attacker to monitor activity and steal information from the compromised computer,” said a Symantec Security Response blog post on Monday. Once installed inside a corporate network, the back door feature of the trojan can also allow the attacker to use the initially compromised computer as a springboard to launch further forays into the rest of the infrastructure, meaning that the wealth of information that may be stolen could potentially be far greater than that existing on a single machine.
The post said that another variant of the trojan was used over the summer in similar attacks and spread as a specially crafted PDF file.
Contrary to earlier reports, it does not appear a similar file type was used here. VeriSign iDefense on Friday retracted an earlier analysis that reported the China attacks were aided by vulnerable software from Adobe.