Microsoft will issue an emergency update to patch a vulnerability in Internet Explorer (IE) in the next two weeks to fix a flaw criminals have been using for more than a month, researchers said Tuesday.
The company will move on the IE6, IE7 and IE8 bug before the next regularly-scheduled Patch Tuesday because of increasing attacks and proof that temporary workarounds can be circumvented.
"I wouldn't be surprised if they go 'out-of-band,'" said Andrew Storms, director of security operations at nCircle Security, using the term for an emergency update. "They won't want to wait for five weeks, and there's enough pressure on them now to work on an out-of-band."
The pressure Storms referred to includes reports that additional websites have been spotted serving up "drive-by" attacks against older versions of IE, as well as claims from researchers that both the "Fixit" tool Microsoft deployed last week and a long-available advanced anti-exploit tool can be sidestepped.
When Microsoft acknowledged the IE zero-day vulnerability Dec. 29, several security firms said that the website of the Council on Foreign Relations (CFR), a notable U.S. foreign policy think tank, was hosting attack code targeting IE8. Since then, other domains have been found conducting similar drive-bys, including one maintained by an Iranian oil company.
In lieu of a patch, Microsoft issued one of its automated "Fixit" tools to block attacks, and also recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), a separate anti-exploit utility.
But according to Exodus Intelligence, a company composed of several former researchers with HP TippingPoint and its bug-bounty program, both workarounds can be outflanked.
A Twitter exchange between Aaron Portnoy of Exodus and Jonathan Ness, a security engineer at Microsoft, revealed that the Fixit bypass was likely legitimate. "We think you are probably right," Ness tweeted yesterday.