Microsoft readies emergency IE patch to counter public exploits

Microsoft readies emergency IE patch to counter public exploits

Summary: The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows.


UPDATE: Here is the official confirmation from Microsoft that an out-of-band patch is coming.  No official date yet.

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a "browse and you're owned" vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows.  This could happen as early as this weekend.

[ SEE: Microsoft says Google was hacked with IE zero-day ] The decision to ship the IE patch outside of Microsoft's scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.

The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.

The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks.  During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.

[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]

Microsoft says the ongoing attacks remain "targeted to a very limited number of corporations" and are only effective against Internet Explorer 6.  However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.

Now, Microsoft is imploring its customers to upgrade immediately to IE 8.  A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.

Microsoft's Security Research & Defense team has created and released a one-click "Fix It" tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser.  DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.

Here is a video showing the Metasploit exploit in action.

* Video from from Praetorian Prefect.

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Where's patch for Office 2007

    When is MS going to release a patch for Office 2007 that contains pirated (stolen) software. It has been convicted twice in US courts for pirating software for iCi (Canada) and forced to remove copies Office 2007 from retailers shelves.

    And pay nearly $400 000 000 in damages. Of course like any deep pocketed offender it appeals (lost most recent) and is fighting all the way to Supreme Court.

    iCi had a product that it was selling (to Department of Defense for one) and collecting fees for maintenance contracts.

    This was until MS brought out their version of Office and suddenly iCi's business disappeared. Took years to get courts to force MS to open up their code for Office. Suddenly it was obvious stolen code embedded in Office. MS was caught.
    Where's the patch??
    • Are you for real???

      Do a little Binging and you will find your answer, or can you read?
      • I've done my homework, but clearly you have not

        All web browsers have security issues, but IE8 is the most secure.

        "There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned."

        "For the second time in two weeks, Google has shipped a new version of its Chrome browser to fix a pair of serious security vulnerabilities."

        There are numerous other examples, of course, for those who care to check the facts.
        Tim Acheson
        • There's a difference though...

          Mozilla and Google are patching these
          vulnerabilities BEFORE they're being exploited.

          Mozilla Firefox 3.5.x (the one you mentioned)
          has 0 unpatched vulnerabilites.

          Mozilla Firefox 3.0.x has 0 unpatched

          Google Chrome 3.x has 0 unpatched

          Amongst the older versions of both browsers, I
          found a total of 6 unpatched vulnerbilities--
          the highest rated is "Less Critical".

          Compare this to Microsoft:
          Internet Explorer 8.x 4 unpatched

          Internet Explorer 7.x 11 unpatched

          In both of those, the highest rating is
          "Extremely Critical."

          So yes they are all vulnerable. But, Mozilla
          and Google FIX THEIR VULNERABILITIES in a
          fairly rapid time. The only time Microsoft
          fixes them is if they become highly publicized
          because of an attack.

          Google and Mozilla: Security issue == fix.
          Microsoft. Bad Publicity == fix.

          Have a great day:)
    • Never heard of this one..........

      Of course I did hear about i4i suing Microsoft over an XML-related patent, where Microsoft has to pay $296 million dollars to them... AND remove the infringing content from any product placed on shelves after January 4, 2010 (may be a different date in January, 2010).

      Oh and I did hear that Microsoft has an update up on their site that removes the infringing content from your already purchased copies (even though they are not required to).

      As the other poster mentioned, BING or GOOGLE is your friend ;-)

      Since I know you're a busy troll, here's the link to the information on Microsoft's site;en-us;978951&sd=rss&spid=11377

      Have a great day:)
    • On their website..

      [b] [/b]
    • Irrelevant.

      That's just impertenent anti-MS rhetoric. It's not relevant to the securtiy issue being discussed.

      But for the record, yes there is an update removing that functionality, and has been for some time, so clearly you know nothing about the case you're trying to discuss.

      Of course, this is typical of anti-MS comments posted online: missing basic facts and frequently off-topic.
      Tim Acheson

    It's great to be me! :) I get asked for by name. My popularity is growing not just on ZDNet but on other websites as well. I loveROCK!
    Loverock Davidson
    • You, octo-mom, and balloon boy's dad

      • Don't be jealous

        Its not my fault I'm that good and popular.
        Loverock Davidson
        • Lovie....*SNIFF-SNIFF*

          You stink!
          • Ahhh, Damn!

            I come here for the humor!
        • Popular only for your idiocy. And good only at trolling.

          But hey, if that brings you joy in life, more
          power to you.
          • Feel unpopular?

            Daddy luuuuuuuvs yooooooooo.

            Feel better now?
            Lester Young
          • Much better, thank you. :)

            [b] [/b]
    • Get a grip and get linux.

      • Let us know...

        when Linux can run Windows or OSX commercial grade applications, as opposed to Linux fanboy hacks. We'll wait...
        • It's been able to for a long time.

          Running Linux commercial grade applications on
          Windows, as opposed to Microsoft garbage, on the
          other hand..
          • And YOU call Loverock a troll?

            Time for a good, hard look in the mirror.
            Mr. Slate
          • Did you even read the post mine was in reply to?

            I only repeated the jab that he originally posted.