Microsoft delivering fix to counter zero-day IE exploits

Microsoft says it will release a patch on Friday for the zero-day vulnerability in Internet Explorer that has prompted some security researchers to urge IE users to switch browsers.

The out-of-band patch will be issued about 1 p.m. Eastern time, according to an advisory from the Microsoft Security Response Center, which recommended that the patch be installed “as soon as it is available.”

Meanwhile, the company issued a Fix-it for the flaw, which Microsoft said was one-click solution that would provide protection without rebooting. But it’s only a temporary fix.


Related coverage:

Zero-day exploit targets IE; some researchers advise switching browsers


An exploit for the flaw in multiple versions of IE was discovered last weekend by security researcher and blogger Eric Romang. Shortly afterward, Jamie Blasco, a researcher at AlienVault, found three other exploits targeting defense contractors in the United states and India.

The vulnerability, which was found being exploited in relatively small numbers, would let malware use a Flash animation to bypass security measures and allow a hacker to remotely execute code. It would attack when a user visited a vulnerable website.

The exploits were attributed to a hacker group in China dubbed Nitro, which in 2011 had attacked systems in the chemical industry and some defense contractors, and recently was found to be exploiting a zero-day flaw in Java 7 that Oracle has since patched. Romang said some of the IE exploits were found to be coming from the same server as the Java attacks.

The IE flaw affects versions 6, 7, 8 and 9 running on just about any version of Windows. And considering that that covers about 40 percent of users in North America, security experts advised people to switch to another browser, such as chrome or Firefox, until a patch is issued. In Germany, the government even made the appeal official, with the country’s Federal Office for Information Security urging people to switch browsers.

Prior to issuing the fix-it on Sept. 19, Microsoft had recommended that IE users install the company’s Enhanced Mitigation Experience Toolkit as a temporary measure, while setting Internet security settings to high to block ActiveX controls and Active Scripting.

Yunsun Wee, director of Microsoft’s Trustworthy Computing initiative, said Friday’s patch would be cumulative, and also said the company will hold a webcast on the issue Friday at 3 p.m. Eastern. Interested people can register here.

About the Author

Kevin McCaney is editor of Defense Systems. Follow him on Twitter: @KevinMcCaney.

Reader Comments

Fri, Sep 21, 2012

How many new bugs will MS introduce with the patch?

Fri, Sep 21, 2012

Typical "closing the barn door after the horse is out" response from Micro$oft. If Gates spent his money fixing (or better yet, creating good) software instead of promoting his favorite "charity du jour" maybe M$ product wouldn't have these problems in the first place.

Fri, Sep 21, 2012

Another statement that isn't true (yet). E-mail teaser says "Fix is in..." Headline says "Microsoft Delivering..." Fact: Not released yet. Come on, a little accuracy please.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above