Microsoft To Issue Emergency Patch Thursday To Fix IE 6 Flaw
The emergency patch will shore up a critical error in IE 6, which researchers said was used as an entry point for attacks launched from China onto the Google network last week. During the comprehensive cyberattack, hackers exploited the critical IE 6 vulnerability in order to unleash malicious code that infected Google, as well as the networks of more than 30 other companies.
Microsoft researchers said in the company's advanced notification bulletin Wednesday that the patch "addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities."
Microsoft researchers have said in several blog posts that they continue to see limited and targeted attacks. So far, the successful attacks have been against IE 6. However, Microsoft's security advisory warns of reports of proof of concept code, designed to bypass Data Execution Prevention (DEP), targeting IE 7 as well as Windows XP and Windows Vista. Microsoft recommends that users running IE 6 upgrade their Web browser to the latest IE 8.
"We have analyzed the proof-of-concept exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to the improved security protection offered Address Space Layout Randomization," Microsoft said. "On Windows XP, which does not benefit from the improved security protection provided by ASLR, attacks using the DEP bypass techniques are likely to be more effective."
Microsoft said, however, that the DEP bypass technique was not yet publicly available and has not yet appeared in malicious attacks.
Meanwhile, security company McAfee said that its security researchers have seen at least one unofficial patch for the IE vulnerability created by a third party. McAfee warned in a blog post Tuesday for users to be wary of installing patches for the IE flaws issued by vendors other than Microsoft.
"Patching is of course a good idea, don't' just apply any patch," said McAfee's George Kurtz in a security blog. "These unofficial patches may seem like a good idea as they appear to provide immediate protection, but applying a patch from an unknown source for software that was created by someone else just isn't a good idea. It can create all kinds of compatibility and performance issues and may be a security risk of its own."
Microsoft researchers recommend that users apply the patch as soon as possible once it becomes available Jan. 21.
"Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available," Microsoft said.
Until then, the company recommends that users apply suggested workarounds to protect themselves, keeping Windows 7 and Vista on the most secure "protected mode' setting and enabling data execution prevention.
Users should also set Internet and local Intranet security zone settings to "high" to issue prompts before running any ActiveX controls and Active Scripting, as well as configure IE to issue security prompts before running Active Scripting, or disabling Active Scripting altogether on the Internet.