Microsoft to release emergency patch for IE

Microsoft has released further information on a patch for the zero-day vulnerability in Internet Explorer that affects versions IE6 to IE9

Microsoft has released further information on a patch for the zero-day vulnerability in Internet Explorer that affects versions IE6 to IE9.

The Internet Explorer maker has made available a "fix-it" that uses its application compatibility shim mechanism to fix the code segment affected on all versions of the browser.

Microsoft also announced that it is working on an out-of-cycle patch scheduled for release on 21 September, rather than in its next monthly Patch Tuesday security update in October.

“The decision on whether to deploy the fix-it or wait for the final patch should take into account that attacks are not widespread yet,” said Wolfgang Kandek, chief technology officer at security firm Qualys.

“Currently, attacks using the vulnerability continue to be of the targeted type, with low infection rates reported,” he said.  

The zero-day flaw, which does not affect Internet Explorer 10, was identified by researcher Eric Romang, according to a blog post by security research firm Rapid7, which has incorporated the exploit into its Metasploit testing tool.

“The exploit, which had already been used by malicious attackers in the wild before it was published in Metasploit, is affecting about 41% of internet users in North America and 32% worldwide [according to StatCounter]," the company said.

“We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures,” said the Rapid7 blog post.

Earlier in the week, Microsoft released a security advisory on the vulnerability, containing mitigations and workarounds that businesses could use until a patch is available.

According to the advisory, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer, and an attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

The company also said it was working with partners in the Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protection to customers.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What Microsoft SHOULD do is to pull off the whole of IE and make a decent webbrowser available instead. For example one that follows generally agreed standards, and isn't massively leaking every other three months.