Security Experts:

Microsoft to Issue Out-of-band Patch for Internet Explorer

Microsoft has said it would release a patch this afternoon, out-of-band, that will address the recently discovered Internet Explorer vulnerability that has been used in separate targeted attacks. The security fix comes just one week after January’s monthly security release from Redmond.

Just before the start of the year, Microsoft acknowledged that a vulnerability in Internet Explorer was used in targeted attacks. The flaw was first spotted being used in a drive-by-download attack on the Council on Foreign Relations’ (CFR) website. A day after the confirmation was published, Microsoft released a Fixit option, which would help mitigate – but not fully patch – the issue. Yet, the Fixit solution was easily bypassed by researchers, rendering the protection it offered useless.   

On Sunday, Microsoft announced that they would be patching the Internet Explorer flaw out-of-band, and encouraged administrators and end users to patch as soon as possible.

The patch, which will be available for Internet Explorer versions 6, 7, and 8 (IE 9 and IE 10 are not affected), is scheduled for release at 1:00 p.m. EST today. “While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future,” wrote Dustin Childs, group manager for the company's Trustworthy Computing Group, on the company blog.

“We recommend that you install this update as soon as it is available. This update for Internet Explorer 6-8 will be made available through Windows Update and our other standard distribution channels. If you have automatic updates enabled on your PC, you won’t need to take any action.”

Systems that applied the Fixit solution will not need to uninstall it before applying the patch. Microsoft has rated this latest security release with a severity rank of Critical.

Additional details are available here

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.