Microsoft to patch Internet Explorer zero-day flaw today

Microsoft to patch Internet Explorer zero-day flaw today

Summary: An out-of-band update will be released today to fix a zero-day vulnerability in Internet Explorer, versions 6, 7 and 8, which will prevent hackers from exploiting a hole that could allow the remote execution of malicious code.

TOPICS: Security, Microsoft

Microsoft will later today release an update for a critical zero-day flaw in Internet Explorer (versions 6, 7 and 8), which allows hackers to remotely execute malicious code, without user intervention or warning, if a user accesses an infected Web site.

Discovered in December, the flaw lies in how "Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," according to the software giant.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site."

Users of Internet Explorer 9, and Internet Explorer 10 on Windows 8 and Windows RT machines -- including Surface RT and Surface Pro tablets -- are not affected.

While Microsoft issued a temporary fix after the critical flaw was found, the software giant will later today issue a full patch, along with a webcast to explain the implications of the flaw and the procedures in which to mitigate any attacks. 

The software patch will be made available through Windows Update and other, usual distribution channels, later today. However, if users already applied the "Fix It" tool released in Security Advisory 2794220, it is not necessary to uninstall the patch before applying the security update, the company said.

Microsoft had told network and IT administrators to use Microsoft's own Enhanced Mitigation Experience Toolkit (EMET) to help mitigate any attacks, some security experts had warned that they had seen evidence to suggest that hackers were able to bypass this solution and still run remotely executed code.

Sophos security expert and blogger Paul Ducklin explained: "When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble."

"Several Web sites have already been disseminating malware using this exploit, triggering it with a mixture of HTML, JavaScript and Flash," he added. 

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • More PC malware early on

    Maybe its just been more in the press lately. Will the Java exploits and such. But it seems as 2012 was the year for mobile malware especially on Android devices. Maybe the focus is moving back toward the PC? I will be interested to see if anyone bothers with exploits against Win8 considering its lackluster debut. Their does not appear to be a urgency for Windows XP users to rush to Windows 8 and Microsoft has kind of handicaped users from moving to Windows 7. My advice to Microsoft is lower the price of Windows 7 and get users at least with the ability to use IE9.
    • "More PC malware early on"?

      Windows 8 adoption is running on par with Windows 7 so I wouldn't call that a "lackluster debut", since, after all, I'm not clueless. Windows 7 is the most used OS in the world and Windows 8 won't take too long to surpass Windows XP, now the second most used OS. If there're fewer attempts to exploit Windows 8 it's because Windows 8 is an extremely tight system so there's not much if anything to exploit. Isn't it funny the way that facts can get in the way of a good diatribe?
      • "Not much if anything to exploit"?

        Then why the patch? Unless you;re being hypocritical again.
  • Time for a switch

    Why anybody is still using IE is a mystery to me, especially with a couple of superior browser offerings available. I haven't used IE in years after migrating to Firefox and then Chrome. I let Windows keep updating it but I never actually fire up IE and use it. Heck, right now I'm typing this on Linux Mint KDE 14 so IE isn't even an option. If it weren't for a couple of Windows-only products that I occasionally need to use I'd switch to Linux completely.
    • "still using IE"

      Perhaps because IE9 is far more stable than any competing browser and IE10 is even better. You might actually try a new version of IE before you make claims you can't back up. But, if Linux is the path you prefer, good for you! Try, though, to at least know what you're talking about when you decide to trash something you admit you don't use and refuse to even try out; otherwise, you look like a biased, closed-minded troll. Oh... nevermind.
      • IE Stable?

        Not from my experience. I'm not following the Linux path but IMHO and experience Chrome is a far better browser than IE and I use both on a daily basis.
      • No

        It isn't, never was and never will be. A good chunk of the people I personally know who switched to Firefox or Chrome did so out of frustration with "I've fallen and I can't get up" IE.
      • IE is still bundled with the OS

        Hence most brain dead web developers tool to what they know, which is IE.

        Most of them probably don't even know how to deploy (and maintain) Chrome or Firefox to enterprise. That would be beyond their job skills.
    • If you are using ver. 6,7, 8:

      You should be worried. If you are using versions since those versions, I'll meet you at the soda shop!! The rest of you might want to upgrade your browsers????