Microsoft to patch IE zero-day bug next week

Slates six updates for Patch Tuesday to fix critical flaws in Windows, IE, Office

Microsoft today said it will deliver six security updates on Tuesday, including one that will patch a vulnerability in Internet Explorer (IE) the company admitted only last week.

The updates will patch a total of 12 flaws in Windows, IE and Microsoft Office, the company said in a follow-up entry to its security response center's blog .

At the top of the patch list, even Microsoft's own, will be an update for IE 5.01, IE6, IE7 and IE8 that has been pegged as "critical," the firm's highest severity rating in its four-step scoring system.

The update will address an IE zero-day vulnerability that Microsoft confirmed Nov. 23 in a security advisory. "I want to point out that Internet Explorer 8 is not affected on any platform and that running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue," said Jerry Bryant, a spokesman for the Microsoft Security Response Center (MSRC), in a blog post announcing the advisory last week.

Microsoft's advisory was its reaction to proof-of-concept attack code that had gone public several days before, when it was posted to the popular Bugtraq security mailing list. The sample code exploited a flaw in IE's layout parser, and could be used to hijack fully-patched Windows machines.

Next Tuesday's update, however, will quash bugs in all still-supported versions of IE, not just IE6 and IE7, a fact Microsoft confirmed today . "We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday," Bryant said in another blog post.

The advisory Bryant called out was the one Microsoft issued last week. "We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly."

Microsoft's advance notification spelled out the significance of the problem with IE: All versions of its browser contain one or more flaws when run on Windows 2000, Windows XP, Vista, Server 2003 and even Windows 7. Only the company's newest server products -- Server 2008 and Server 2008 R2 -- are somewhat safer.

However, that doesn't mean IE 5.01 and IE8 are suddenly vulnerable to last week's zero-day exploit, said Andrew Storms, director of security operations at nCircle Network Security. Microsoft confirmed to Storms that the IE update contains fixes for multiple vulnerabilities; it's not unusual for Microsoft to quash several bugs in a single update.

"Last week's zero-day is still not applicable to IE8," Storms said after he consulted with MSRC. "Some other bug is also being patched in the same bulletin."

The attack code that went public Nov. 20 was not only unreliable, according to security experts who dived into the exploit, but was touted as only affecting IE6 and IE7 on Windows XP. Later, Microsoft said that Vista users would be protected to a degree not enjoyed by XP customers because the former's "sandbox" would limit the ability of the exploit to compromise the PC.

Most outside security researchers, including Storms, were pessimistic last week when asked whether Microsoft could scramble fast enough to fix the flaw in IE6 and IE7. Today, he was impressed. "I would have wavered last week [on] whether they would fix it," he admitted. "But given the impact [of the vulnerability] and the fact that there's code out there, I'm not surprised that they managed it."

Other updates slated for release on Dec. 8 include patches for bugs in Windows; Office 2000 and Office 2003; and Microsoft Project 2000, 2002 and 2003. Three of the six updates will be tagged critical, while the remaining trio will carry the "important" label.

"Frankly, the rest don't matter at this point," said Storms, referring to the non-IE updates. "IE is the top of the news for Microsoft today, and will be next week."

The bright spot, said Storms, is that Microsoft keeps ladling more information onto its pre-Patch Tuesday notification , a preview customers rely on to plan their patching strategy for the following week.

"They're blogging and telling us the number of vulnerabilities and the [affected] applications now, which is great," Storms said, applauding Microsoft's moves. "They continue to increase the amount of information they provide. They're setting a real trend here."

Microsoft will release the six updates at approximately 1 p.m. ET on Dec. 8.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityMicrosoftInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?