Microsoft preps emergency IE patch for Wednesday release
Microsoft Corp. will issue an emergency patch on Wednesday to quash a critical bug in Internet Explorer (IE) that attackers have been exploiting for more than a week, the company announced Tuesday.
The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.
Microsoft will deliver the out-of-cycle patch Wednesday at 1 p.m. EST via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).
The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system.
Even as it declared that it would release an emergency fix, Microsoft continued to downplay the threat. "At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said company spokesman Christopher Budd in an e-mail Tuesday.
Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.
Last weekend, Microsoft researchers said that they had seen a "huge increase" in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.
Also today, Microsoft confirmed that attacks could be launched through Outlook Express, a free e-mail client bundled with Windows XP. Because Outlook Express renders HTML-based messages using IE's engine, attackers could exploit the bug by getting users to open or view malicious messages.
This will be the second out-of-cycle patch from Microsoft in the last two months. In late October, it issued an emergency fix for a critical vulnerability in the Windows Server service; like IE's bug, that one had been actively exploited before Microsoft was able to come up with a patch.
According to Tuesday's advance notification, Microsoft will provide patches to users of Windows 2000, XP, Vista, Server 2003 and Server 2008 for IE5.01, IE6 and IE7. A separate patch will apparently be issued tomorrow for IE8 Beta 2, a preview version of Microsoft's next browser that is not officially on the support list.
» posted by ITworld staff
Computerworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
IE
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
