Microsoft has released further information on a patch for the zero-day vulnerability in Internet Explorer that affects versions IE6 to IE9.
Microsoft also announced that it is
working on an out-of-cycle patch scheduled for release on 21 September, rather than in its next
monthly Patch Tuesday security update in October.
“The decision on whether to deploy the fix-it or wait for the final patch should take into account that attacks are not widespread yet,” said Wolfgang Kandek, chief technology officer at security firm Qualys.
“Currently, attacks using the vulnerability continue to be of the targeted type, with low infection rates reported,” he said.
The zero-day flaw, which does not affect Internet Explorer 10, was identified by researcher Eric Romang, according to a blog post by security research firm Rapid7, which has incorporated the exploit into its Metasploit testing tool.
“The exploit, which had already been used by malicious attackers in the wild before it was published in Metasploit, is affecting about 41% of internet users in North America and 32% worldwide [according to StatCounter]," the company said.
“We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures,” said the Rapid7 blog post.
According to the advisory, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer, and an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
The company also said it was working with partners in the Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protection to customers.