Microsoft to ship emergency IE patch to thwart active attacks

Microsoft has announced plans to ship a critical out-of-band Internet Explorer update tomorrow (Friday, September 21) with fixes for a dangerous browser vulnerability.

The emergency fix comes a week after news emerged that a zero-day flaw in the browser was being exploited in targeted attacks.

The vulnerability affects all versions of the browser up to Internet Explorer 9.  The newest IE version 10 is not affected by this issue.

The raw details:

"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Microsoft insists the in-the-wild attacks only affect "a small number" of Windows users but warned that there is a legitimate risk of these attacks expanding beyond specific targets.

The company has also released a Fix it tool that provides a temporary fix for users worried about the attacks.  The Fit it is described as "an easy, one-click solution that will help protect your computer right away.  It will not affect your ability to browse the web, and it does not require a reboot of your computer."