Microsoft preps emergency IE patch for release

Second out-of-cycle update in the last two months is imminent

Microsoft will issue an emergency patch on Wednesday to quash a critical bug in Internet Explorer (IE) that attackers have been exploiting for more than a week, the company announced Tuesday.

The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.

Microsoft will deliver the out-of-cycle patch Wednesday afternoon (US time) via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).

The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system.

Even as it declared that it would release an emergency fix, Microsoft continued to downplay the threat. "At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said company spokesman Christopher Budd in an e-mail Tuesday.

Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.

Last weekend, Microsoft researchers said that they had seen a "huge increase" in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.

Also today, Microsoft confirmed that attacks could be launched through Outlook Express, a free e-mail client bundled with Windows XP. Because Outlook Express renders HTML-based messages using IE's engine, attackers could exploit the bug by getting users to open or view malicious messages.

This will be the second out-of-cycle patch from Microsoft in the last two months. In late October, it issued an emergency fix for a critical vulnerability in the Windows Server service; like IE's bug, that one had been actively exploited before Microsoft was able to come up with a patch.

According to Tuesday's advance notification, Microsoft will provide patches to users of Windows 2000, XP, Vista, Server 2003 and Server 2008 for IE5.01, IE6 and IE7. A separate patch will apparently be issued tomorrow for IE8 Beta 2, a preview version of Microsoft's next browser that is not officially on the support list.

Tags microsoft patchesInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

1 Comment

lloyd_borrett

1

AVG 8.0 Protects Against This IE Vulnerability

Security software from AVG already effectively blocks attempts by cyber criminals seeking to capitalise on this vulnerability in Microsoft's Internet Explorer web browser.

Commercial AVG 8.0 security software products have provided protection against this vulnerability since 11th December. AVG Technologies estimates that its software has already blocked close to 5,000 attacks against 3,000 users since Microsoft announced the flaw.

Computer users can immediately safeguard their systems by downloading a trial version of AVG software at www.avg.com.au.

AVG software provides the most timely, precise and reliable safe searching and surfing protection by analyzing web pages at the only time it matters - when the user is about to visit them. AVG offers the security software industry's only real-time web exploit detection and prevention, using proprietary behavioral analysis and other breakthrough technologies to protect personal information and defend against unwanted intrusions while users are on the web.

Best Regards, Lloyd Borrett
Marketing Manager, AVG (AU/NZ)
Australian & New Zealand distributors of AVG Anti-Virus & Internet Security Products
www.avg.com.au

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?