Microsoft to issue emergency security patch to plug Internet Explorer vulnerability

17 Dec 2008

Microsoft will issue an emergency security patch later today for all versions of Internet Explorer. The patch is considered a critical fix for the security flaw currently plaguing the IE browser. So far, more than 2 million computers are believed to have been infected.

An advance notification of the patch published Tuesday describes it as protection for a "remote code execution" vulnerability. The move follows Microsoft's security advisory posted last Wednesday and updated day before yesterday on Monday explaining the vulnerability and suggesting temporary "workarounds" for protection.

The company initially warned users about the flaw last week in a security advisory following its monthly Patch Tuesday security bulletin release on 9 December, which it updated in another advisory Monday. Microsoft said that it is aware of active attacks exploiting the vulnerability, but noted in its warning that it's only aware of attacks against IE7.

Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.

Last weekend, Microsoft researchers said that they had seen a "huge increase" in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.

The flaw can be used to let attackers steal personal data such as passwords if a user visits a compromised Web site, of which at least 10,000 are thought to already exist. Thus far, the vulnerability has been used primarily for grabbing gaming passwords for black market sales. The hole could, however, potentially also be used to steal more sensitive information such as banking passwords and other private information.

Experts say that this bug is particularly malicious due to the fact that it requires almost no user intervention. Instead of clicking on an infected link or downloading software, users only have to visit a Web site already laden with malware in order for the exploit to be successful. Once a user's computer is exploited, malicious code could then be used to steal financial information, passwords, and other credentials, or be incorporated into a network of controlled computers designed to distribute spam and malware, known as a botnet.

Microsoft's emergency security patch will become available Wednesday at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center. The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system. All users of IE5, 6, and 7 are advised to install it. A separate patch is expected to be made available for users of IE8 Beta 2. More details are expected by midday Wednesday when Microsoft officially issues its security bulletin.

This will be the second out-of-cycle patch from Microsoft in the last two months. In late October, it issued an emergency fix for a critical vulnerability in the Windows Server service; like IE's bug, that one had been actively exploited before Microsoft was able to come up with a patch.

While the scheduled patch will likely protect IE users, security experts maintain that attacks will likely get worse as malware authors plan to issue malicious code around Microsoft's patch cycle in order to get the maximum amount of "attack time."