Microsoft to patch Internet Explorer zero-day flaw today

An out-of-band update will be released today to fix a zero-day vulnerability in Internet Explorer, versions 6, 7 and 8, which will prevent hackers from exploiting a hole that could allow the remote execution of malicious code.
Written by Zack Whittaker, Contributor

Microsoft will later today release an update for a critical zero-day flaw in Internet Explorer (versions 6, 7 and 8), which allows hackers to remotely execute malicious code, without user intervention or warning, if a user accesses an infected Web site.


Discovered in December, the flaw lies in how "Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated," according to the software giant.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site."

Users of Internet Explorer 9, and Internet Explorer 10 on Windows 8 and Windows RT machines -- including Surface RT and Surface Pro tablets -- are not affected.

While Microsoft issued a temporary fix after the critical flaw was found, the software giant will later today issue a full patch, along with a webcast to explain the implications of the flaw and the procedures in which to mitigate any attacks. 

The software patch will be made available through Windows Update and other, usual distribution channels, later today. However, if users already applied the "Fix It" tool released in Security Advisory 2794220, it is not necessary to uninstall the patch before applying the security update, the company said.

Microsoft had told network and IT administrators to use Microsoft's own Enhanced Mitigation Experience Toolkit (EMET) to help mitigate any attacks, some security experts had warned that they had seen evidence to suggest that hackers were able to bypass this solution and still run remotely executed code.

Sophos security expert and blogger Paul Ducklin explained: "When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble."

"Several Web sites have already been disseminating malware using this exploit, triggering it with a mixture of HTML, JavaScript and Flash," he added. 

Editorial standards