Microsoft confirms plan to release out-of-band IE update

Microsoft confirms plan to release out-of-band IE update

Summary: Microsoft confirmed today that it plans to release an out-of-band security update to address a zero-day vulnerability in Internet Explorer. The update is undergoing testing now.


Update 21-Jan 11:00AM PST: Security Update MS10-002 is now being delivered via Windows Update and WindowsSoftware Update Services. It is also available for manual download and installation. For details, read Microsoft Security Bulletin MS10-002.

Update 20-Jan 10:20AM PST: Microsoft's advance notification for this security update is now available. The update itself will be delivered tomorow, January 21. According to a Microsoft spokesperson, "This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized."

Microsoft has also updated its Security Advisory to address recent reports of exploit code (created by securit researchers) that is capable of bypassing Data Execution Prevention (DEP). Preliminary investigation suggests that the technique might be effective on Windows XP but will be more difficult to exploit on Windows Vista and Windows 7 because of an additional security feature, Address Space Layout Randomization (ASLR), available in those platforms.

I just spoke with George Stathakopoulos, General Manager of Trustworthy Computing Security at Microsoft, regarding the ongoing security issue affecting Internet Explorer. (For background, see my earlier post, It's time to stop using IE6. For an update on the vulnerability and its impact, see this Zero Day blog post from ZDNet's Ryan Naraine.)

According to Stathakopoulos, a security update for all versions of Internet Explorer will be released "out of band" - that is, earlier than the next regularly scheduled update cycle on Patch Tuesday, February 9. The update is currently undergoing testing, and Microsoft expects to announce a release schedule tomorrow, January 19.

Separately, Gregg Keizer at ComputerWorld reports that French security researchers claim to have circumvented the Data Execution Prevention security feature and executed their own exploit code on Internet Explorer 8 with DEP enabled. A Microsoft spokesperson says they are investigating those claims and "will take appropriate action to help protect customers."

Stathakopoulos reiterated that Microsoft so far has seen only "very limited and targeted attacks" and confirmed that the only successful attacks have been against IE6.

I will update this post when further information is available.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Microsoft confirms plan to release out-of-band IE update

    Not a big deal, Microsoft has released out of band patches before, this won't be the first or the last. The important thing is they recognized the vulnerability and did something about it.
    Loverock Davidson
    • Apple just released some patches.

      Where's Microsofts?
      • ....

        [i]Apple just released some patches. Where's Microsofts?[/i]

        Patch Tuesday and Out of Band patches... try to keep up.
  • RE: Microsoft confirms plan to release out-of-band IE update

    Why use these idiotic tech code words like "out-of-band"?
    The term means nothing to 99.9% of the population.
    • Direct quote

      That's the exact term for it, and I put it in quotes and defined it in the second paragraph.

      What else do you want>
      Ed Bott
      • Part of the syndrome

        Perhaps you could ask them to speak plainly in the first place? MS sometimes lives in a world not entirely congruent with reality, and this perversion of language is part of the psychosis. It's not that you translated for them, it's that translation was necessary at all. Still, we owe you a debt of gratitude for pointing it out, I guess.
        When 2 National security authorities dump on them like they have, it'll take some considerable evidence and track record of delivery before their reputation recovers. When the problem is as bad as it seems to be, then it may be irrecoverable.
      • Two wrongs don't make a right

        Direct quote or not, it's still wrong.

        The patch may be being delivered "out of cycle," which relates to the date and frequency or regularity of delivery, but unless it's being delivered by some method other than network connectivity, it's most certainly in-band.

        Let's see if we can keep the "close enough/same difference" crowd in the trade press from b@sterdizing the term "out of band," as they have already done to "hacker" and "bandwidth," shall we?

        People who can't/shouldn't be expected to know the difference can be forgiven or at least tolerated. Those who do/should know better don't deserve the same tolerance for imprecision.
        • Oh Sweet Jesus! ...

          Can we PLEASE stay on topic and get over "out of cycle" v. "out-of-band"??? Didn't you still understand what was being discussed??

          Ed was using a direct quote from Microsoft in his article; if anyone is at fault for using wrong terminology, it's Microsoft. So let's not flame the messenger, shall we? If you don't have anything useful to contribute, ZIP IT!
    • Out of what type of band?

      "Out-of-band" certainly means NOTHING to me, even though I am an IT professional. Are Microsoft hiring a music band to provide the IE update? Or flicking elastic bands at people who are complaining about the security flaws?
  • Microsoft wants us to think they are doing us a favor

    So sick of Microsoft acting like they are doing us a favor by releasing a patch for a hole early that they more then likely knew about and choose to ignore for a while.

    Microsoft should be ashamed for not patching holes in IE or Windows faster. They should not be praise cause they finally release a patch for a hole they knew about.
    • Great leaps

      I don't know how you assume they knew about this. Trust me, if someone had reported his vulnerability to Microsoft previously and it had been ignored, they would have screamed about it to the high heavens. Every single INDEPENDENT researcher who has written about this says it is a new, previously unreported exploit.
      Ed Bott
      • They knew about it around Thanksgiving

        According to Redmond Developer News they issues a warning Thanksgiving.

        So they should have patched it before now all I was saying.
        • Completely different issue

          That was an issue with CSS and it was patched on December 8.
          Ed Bott
    • Interesting...

      people complain when MS doesn't patch things right away and when they patch something "out of band" or "out of cycle" or whatever term you want to use people STILL complain... Suck it up dude.

      And what - to reply to an earlier post - does APPLE have to do with MS patch releases?
  • SAAS

    I didn't mean to imply that SAAS was here in a usable form. I actually agree with most of your points. On the other hand I think the trends are clear, and becoming clearer in each incarnation of SAAS.
  • RE: Microsoft confirms plan to release out-of-band IE update

    Of course, using silly terms like "out-of-band" is what made me read this article in the first place. Even though it is still a silly term.
  • RE: Microsoft confirms plan to release out-of-band IE update

    I know its not realistic, but I wish they would just announce a future end of life date for IE6 rendering the browser useless after that date. I can dream cant I.
  • @Ed Bott: Apology in advance for a slightly off-topic question

    Office 2010 has as you know in-built protection mechanisms referred to largely as 'sandboxing' at MSTech Net.

    I have not been successful in locating for example documentation on an API in Windows 7, if any, that would give developers the ability to write into their own apps with features such as 'Protected View'.

    Is there API documentation for the sandboxing that Office 2010 affords? If so, a link to it would be appreciated.

    Thank you,
    D T Schmitz
    • Microsoft has newsgroups and developer forums

      That is the appropriate place ot ask those questions.
      Ed Bott
      • OK, so when you decide it suits your purpose... revert to applying your 'double-standard' which is oblige your readership by trying to answer their questions even if they are somewhat or even way off-topic.

        I've seen you do that time and time again.

        My question asked for a link to the relevant documentation, not an elaborate explanation from you.

        [b]I am going to assume you already know there isn't any API documentation for how to 'sandbox' a developer's app.[/b]

        Only you are just dodging the question.

        That is what we here in these parts call being: "intellectually dishonest".

        That's my take on your response.
        D T Schmitz