Microsoft to patch critical IE vulnerability to block ongoing attacks

Microsoft plans to issue two bulletins next week as part of its regular patching cycle, blocking two new zero-day vulnerabilities that surfaced recent weeks and are being actively targeted by attackers.

In its advance notification to customers, the software giant said it would repair a critical Internet Explorer vulnerability. The IE zero-day vulnerability, which was reported on Dec. 9 by French security firm VUPEN, could be used by attackers in drive-by attacks, the firm warned. Proof-of-concept code was added Dec. 22 as a module to the Metasploit Framework. The zero-day flaw affects Internet Explorer 6, 7 and 8.

Microsoft will also plug a hole in the Windows Graphics Rendering Engine, which surfaced this week. The security bulletin is rated Important.

Microsoft said the vulnerability enables an attacker to use an embedded thumbnail image containing malicious code in drive-by attacks or by tricking a user to open a malicious Word or PowerPoint file. The vulnerability affects all versions of Windows except Windows 7 and Windows Server 2008 R2.

The vulnerability was demonstrated last month by security researchers at the Power of Community security conference in Korea. The maintainers of the Metasploit Framework created a module for the zero-day flaw Tuesday and Microsoft said it has begun detecting attacks targeting the vulnerability.

The security bulletins are scheduled to be released Jan. 11. In December, Microsoft issued a record 17 security bulletins, repairing 40 vulnerabilities across its product line. The bulletins included patches that addressed seven critical flaws in both client-side software and server systems.

~Robert Westervelt