Microsoft confirms plan to release out-of-band IE update

Microsoft confirmed today that it plans to release an out-of-band security update to address a zero-day vulnerability in Internet Explorer. The update is undergoing testing now.

Update 21-Jan 11:00AM PST: Security Update MS10-002 is now being delivered via Windows Update and WindowsSoftware Update Services. It is also available for manual download and installation. For details, read Microsoft Security Bulletin MS10-002.

Update 20-Jan 10:20AM PST: Microsoft's advance notification for this security update is now available. The update itself will be delivered tomorow, January 21. According to a Microsoft spokesperson, "This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized."

Microsoft has also updated its Security Advisory to address recent reports of exploit code (created by securit researchers) that is capable of bypassing Data Execution Prevention (DEP). Preliminary investigation suggests that the technique might be effective on Windows XP but will be more difficult to exploit on Windows Vista and Windows 7 because of an additional security feature, Address Space Layout Randomization (ASLR), available in those platforms.

I just spoke with George Stathakopoulos, General Manager of Trustworthy Computing Security at Microsoft, regarding the ongoing security issue affecting Internet Explorer. (For background, see my earlier post, It's time to stop using IE6. For an update on the vulnerability and its impact, see this Zero Day blog post from ZDNet's Ryan Naraine.)

According to Stathakopoulos, a security update for all versions of Internet Explorer will be released "out of band" - that is, earlier than the next regularly scheduled update cycle on Patch Tuesday, February 9. The update is currently undergoing testing, and Microsoft expects to announce a release schedule tomorrow, January 19.

Separately, Gregg Keizer at ComputerWorld reports that French security researchers claim to have circumvented the Data Execution Prevention security feature and executed their own exploit code on Internet Explorer 8 with DEP enabled. A Microsoft spokesperson says they are investigating those claims and "will take appropriate action to help protect customers."

Stathakopoulos reiterated that Microsoft so far has seen only "very limited and targeted attacks" and confirmed that the only successful attacks have been against IE6.

I will update this post when further information is available.