announced on Tuesday that it will issue an emergency fix on Wednesday for a dangerous zero-day vulnerability
in Internet Explorer (IE).
The software giant expects to release the patch at 1 p.m. EST on W
The vulnerability, announced last Wednesday
, involves a data-binding issue and affects all supported versions of Microsoft's web browser. So far, however, Microsoft is only aware of in-the-wild attacks
against IE7, said Christopher Budd, security program manager at Microsoft.
The company said it took immediate action to remedy the bug, updating its advisory on five different occasions to provide workaround guidance and ultimately pushing out a fix in just over a week.
"In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days," Budd said.
Microsoft malware analysts reported over the weekend that they were witnessing a significant ramp-up in websites hosting the exploit. Most of the sites were based overseas, particularly in Asia, but researchers estimated that some 0.2 percent of IE users worldwide had surfed to compromised web pages.
In an SC Magazine podcast
recorded on Monday, researcher Fred Doyle of iSIGHT Partners called this vulnerability one of the "worst" he has seen, partly because of the readily available exploit code and ease of exploit construction.
This marks the second out-of-band security patch to be released by Redmond this year. In October, the company pushed out an emergency fix
for a Windows Server Service vulnerability that was being leveraged to conduct targeted attacks.
Microsoft also released an out-of-band bulletin in April 2007 to correct
potentially devastating flaws in the way Windows handles ANI files. In 2006, Microsoft issued an earlier-than-scheduled fix
for a Windows Metafile (WMF) flaw.
Microsoft is planning webcasts at 4 p.m. EST Wednesday and Thursday so end-users can learn more about the latest patch.