Microsoft To Launch Out-Of-Band Patch For Critical IE Flaw
Microsoft fell short of mentioning when the update would be released but promised to have more information about the impending patch on Wednesday.
Security researchers say that the IE vulnerability was exploited by hackers in a series of cyberattacks against Google earlier this month.
Security experts say that they have thus far seen only targeted attacks exploiting the aging IE 6. However, researchers said in a blog post Monday that there are reports of a published proof-of-concept code exploiting the same vulnerability on IE 7, as well as Windows XP and Windows Vista.
Microsoft Trustworthy Computing Security General Manager George Stathakopoulos said in a blog post Tuesday that the company was "actively investigating, but cannot confirm, these claims."
"Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment, Microsoft will release a security update out-of-band for this vulnerability," Stathakopoulos said. "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band is the right decision at this time."
Specifically, the security flaw occurs as an invalid pointer reference within the IE Web browser, which, in certain situations, can make the invalid pointer accessible to hackers after an object is deleted, Microsoft said. Hackers can subsequently exploit the error to enable IE to allow remote code execution.
During the attack, a hacker could feasibly lure victims into viewing a maliciously crafted Web site running on its IE Web browser, typically through some social engineering scheme delivered via e-mail that entices users to click on an infected link. An attacker could also inject an existing legitimate Web site with malicious code, which would in turn infect visitors' PCs with malware.
Hackers could then launch malware designed to infiltrate users' computers, steal information and record keystrokes. Until a patch is widely deployed, Microsoft researchers recommend that users upgrade to the latest IE 8 or apply the suggested workarounds in its security advisory, released Friday. Some of the workarounds include keeping Windows 7 and Vista on the most secure "protected mode" setting, and enabling data execution prevention, designed to reduce the risk of online attacks.
Microsoft also suggested that users set Internet and local intranet security zone settings to "high" to issue prompts before running any ActiveX controls and Active Scripting, configure IE to issue security prompts before running Active Scripting, or disable Active Scripting altogether on the Internet.
Microsoft published a guidance page, including an online video, for users about the IE 6 security vulnerability, which includes ways to protect themselves from the known attacks.