Feeds

Microsoft will issue emergency IE patch on Thursday

Copycat hackers, take notice

Next gen security for virtualised datacentres

Updated A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday.

The update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.

Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.

What's more, researchers from anti-virus firm McAfee report they are seeing copycat attacks with exploits modified to install a wide variety of malware. The new attacks are being reported by Chinese users visiting Chinese websites, but the researchers said exploits elsewhere are likely, now that attack code has gone public.

"Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come)," Craig Schmugar, a threat researcher at McAfee Avert Labs, wrote.

More detail on the follow-on exploits - which came from 8866.org and 3322.org - is here.

Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.

For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday's patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.

No doubt, members of Microsoft's security team have been working around the clock to fix this bug since learning of it last week. Their work won't be easy, software analyst Geoff Chappell said in this exhaustive dissection of the underlying flaw in a component called MSHTML and the code that exploited it.

"This is not one of those bugs that is caused just by a line or two in the source code and which might be fixed by patching the binary code, if only while waiting for a proper update from the manufacturer," he wrote. "If I am right, MSHTML has a potentially wide-ranging problem with the reference counting of nodes. Any update that doesn't obviously look like having dealt with this ought not be accepted as a fix." ®

This article was updated to add details about email and Office software and analysis about the MSHTML component.

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.