Feeds

Microsoft will issue emergency IE patch on Thursday

Copycat hackers, take notice

Seven Steps to Software Security

Updated A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday.

The update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.

Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.

What's more, researchers from anti-virus firm McAfee report they are seeing copycat attacks with exploits modified to install a wide variety of malware. The new attacks are being reported by Chinese users visiting Chinese websites, but the researchers said exploits elsewhere are likely, now that attack code has gone public.

"Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come)," Craig Schmugar, a threat researcher at McAfee Avert Labs, wrote.

More detail on the follow-on exploits - which came from 8866.org and 3322.org - is here.

Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.

For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday's patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.

No doubt, members of Microsoft's security team have been working around the clock to fix this bug since learning of it last week. Their work won't be easy, software analyst Geoff Chappell said in this exhaustive dissection of the underlying flaw in a component called MSHTML and the code that exploited it.

"This is not one of those bugs that is caused just by a line or two in the source code and which might be fixed by patching the binary code, if only while waiting for a proper update from the manufacturer," he wrote. "If I am right, MSHTML has a potentially wide-ranging problem with the reference counting of nodes. Any update that doesn't obviously look like having dealt with this ought not be accepted as a fix." ®

This article was updated to add details about email and Office software and analysis about the MSHTML component.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.