Microsoft: Patch for critical IE zero-day bug coming Friday
In the meantime, releases stopgap measure
Computerworld - Microsoft on Wednesday released a stopgap defense that protects Internet Explorer (IE) against attacks until the company issues a patch on Friday.
The update will fix five flaws, including one revealed by a security researcher last weekend that hackers have been exploiting to hijack Windows PCs and infect them with malware.
The so-called "zero-day" vulnerability -- meaning it was leveraged by attackers before Microsoft was aware of the bug, much less able to patch it -- has been analyzed and discussed by security experts with increasing intensity since Monday.
Wednesday, for example, U.K.-based Sophos raised its threat level to "high," following moves earlier in the week by rivals like Symantec, which boosted its Internet barometer to "ThreatCon 2."
On Wednesday, Microsoft published a "Fixit" -- one of its automated configuration tools -- that blocks the known exploits. The Fixit has been posted in a support document on Microsoft's website.
The tool is only a temporary measure.
"This Friday, Sept. 21, we will release a cumulative update for Internet Explorer through Windows Update and our other standard distribution channels," said Yunsun Wee, director of Microsoft's Trustworthy Computing Group, in a blog post. "We recommend that you install this update as soon as it is available."
Wee said that the update, tagged as MS12-063, will patch the zero-day bug as well as four other critical vulnerabilities.
Friday's "out-of-band" update will be the first emergency patch that Microsoft has released this year and only the second since September 2010. It will also be the first emergency patch of an IE zero-day vulnerability since one in January 2010 that fixed a flaw exploited by the "Aurora" Trojan horse.
Hackers infected Windows PCs at Google and other Western companies with Aurora in late 2009 and early 2010 by exploiting a then-unpatched bug in IE6. Google accused Chinese hackers of breaking into its network, a charge that prompted the search giant to threaten a shutdown of its Chinese operations.
While Wee continued Wednesday to say that Microsoft was aware of only a "small number of customers" victimized by the newest IE zero-day, the company typically unleashes an emergency update only when it believes the threat is substantial and when the volume of attacks is quickly increasing.
IE6, IE7, IE8 and IE9 all are vulnerable to attack, Microsoft confirmed in an advance notice of the impending patch. Only IE10, the version bundled with Windows 8, does not contain the bug.
One security researcher predicted at least part of Microsoft's news several hours before the Redmond, Wash., software maker announced its next move.
"I think we'll see the Fixit today and [a] patch tomorrow," said Andrew Storms, director of security operations at nCircle Security, during a Wednesday instant message conversation. "They've been communicating something every day so far this week," Storms said.
On Tuesday, Microsoft said it would issue a Fixit tool "in the next few days."
Microsoft will release the emergency update at approximately 1 p.m. ET Friday via the Microsoft Update and Windows Update services, as well as through WSUS (Windows Server Update Services), the de facto corporate patch deployment tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts