Feeds

Microsoft will issue emergency IE patch on Thursday

Copycat hackers, take notice

Providing a secure and efficient Helpdesk

Updated A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday.

The update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.

Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.

What's more, researchers from anti-virus firm McAfee report they are seeing copycat attacks with exploits modified to install a wide variety of malware. The new attacks are being reported by Chinese users visiting Chinese websites, but the researchers said exploits elsewhere are likely, now that attack code has gone public.

"Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come)," Craig Schmugar, a threat researcher at McAfee Avert Labs, wrote.

More detail on the follow-on exploits - which came from 8866.org and 3322.org - is here.

Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.

For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday's patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.

No doubt, members of Microsoft's security team have been working around the clock to fix this bug since learning of it last week. Their work won't be easy, software analyst Geoff Chappell said in this exhaustive dissection of the underlying flaw in a component called MSHTML and the code that exploited it.

"This is not one of those bugs that is caused just by a line or two in the source code and which might be fixed by patching the binary code, if only while waiting for a proper update from the manufacturer," he wrote. "If I am right, MSHTML has a potentially wide-ranging problem with the reference counting of nodes. Any update that doesn't obviously look like having dealt with this ought not be accepted as a fix." ®

This article was updated to add details about email and Office software and analysis about the MSHTML component.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.