Out-of-cycle IE patch may be imminent
Microsoft may release a critical Internet Explorer fix before the next Patch Tuesday, amid reports that malicious code is targeting a memory corruption flaw.
Chances are good Microsoft will release a critical fix for Internet Explorer before Dec. 13, its next scheduled patch release date. That's because malicious code -- most notably TrojanDownloader.Win32/Delf-DH -- is targeting a memory corruption flaw in the browser.
"This issue was originally reported to the public in May as being a stability issue that caused the browser to close," the software giant said in an updated advisory on its Web site. "Since then, new information has been posted that indicates remote code execution could be possible. We have also been made aware of proof-of-concept code and malicious software targeting the reported vulnerability."
In a separate advisory, Microsoft warned that TrojanDownloader.Win32/Delf-DH is targeting the flaw. "This Trojan is downloaded to a computer automatically when a user visits certain Web sites," Microsoft said.
Microsoft urged customers to visit its new Windows Live Safety Center and use the complete scan option "to check for and remove this malicious software and future variants." Meanwhile, the software giant said, "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."
Scott Fendley, a handler for the Bethesda, Md.-based SANS Internet Storm Center, wouldn't be surprised if there is an out-of-cycle patch. "I think it is a safe bet that Microsoft will take appropriate steps to fix the problem as quickly as possible," he said on the center's Web site. Until then, he offered this advice:
1.) "Be vigilant. Know that a patch will be forthcoming hopefully within the next two weeks and be ready to deploy quickly," he said.
2.) If your organization can operate with one of the workarounds Microsoft has mentioned in [its advisory], "then I recommend mitigating your risk as much as possible," he said. "We all have at least one person who is a little too...uhm...liberal with browsing the Internet on company time. Think about it, that very person is probably shopping for Christmas presents right now on less-than-secure sites."
The vulnerability is due to a memory corruption error when processing malformed HTML pages containing specially crafted calls to the JavaScript 'window()' object and the 'body onload' tag. Attackers who exploit the flaw could take complete control of an affected system by convincing a user to visit a malicious Web page.