Microsoft on Thursday delivered an emergency patch to correct seven Internet Explorer vulnerabilities, including at least one known to have been used in the highly publicized attacks against more than 30 brand companies.
Microsoft was forced to acknowledge the flaw last week, when McAfee reported that an IE exploit was one of the malware samples being used to spread data-stealing, espionage trojans to Google, Adobe, Northrop Grumman, Juniper and more than 25 other large companies.
However, Microsoft had already known about the bug since September, when a researcher privately reported it to the company, Jerry Bryant, Microsoft's senior security program manager, said in a blog post on Thursday. Microsoft was planning to fix it, as part of cumulative IE update, when it released its scheduled patches in February. It rushed the patch (MS10-002) early once news broke of the attacks, believed to have originated in China.
"Once applied, customers are protected against the known attacks that have been widely publicized," Bryant said. "For customers using automatic updates, this update will automatically be applied once it is released."
Also Thursday, Symantec researchers announced that they have detected a new, in-the-wild exploit taking advantage of the vulnerability. The exploits are being hosted on "hundreds of websites," said Josh Talbot, security intelligence manager at Symantec Security Response.
The malware is different than the Hydraq trojan that was used in attacks against Google, he said.
All attack vectors are covered by the Microsoft patch, Bryant said.