Feeds

Microsoft will issue emergency IE patch on Thursday

Copycat hackers, take notice

Beginner's guide to SSL certificates

Updated A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday.

The update will mark only the 10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.

Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.

What's more, researchers from anti-virus firm McAfee report they are seeing copycat attacks with exploits modified to install a wide variety of malware. The new attacks are being reported by Chinese users visiting Chinese websites, but the researchers said exploits elsewhere are likely, now that attack code has gone public.

"Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come)," Craig Schmugar, a threat researcher at McAfee Avert Labs, wrote.

More detail on the follow-on exploits - which came from 8866.org and 3322.org - is here.

Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.

For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday's patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.

No doubt, members of Microsoft's security team have been working around the clock to fix this bug since learning of it last week. Their work won't be easy, software analyst Geoff Chappell said in this exhaustive dissection of the underlying flaw in a component called MSHTML and the code that exploited it.

"This is not one of those bugs that is caused just by a line or two in the source code and which might be fixed by patching the binary code, if only while waiting for a proper update from the manufacturer," he wrote. "If I am right, MSHTML has a potentially wide-ranging problem with the reference counting of nodes. Any update that doesn't obviously look like having dealt with this ought not be accepted as a fix." ®

This article was updated to add details about email and Office software and analysis about the MSHTML component.

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The hidden costs of self-signed SSL certificates
Exploring the true TCO for self-signed SSL certificates, including a side-by-side comparison of a self-signed architecture versus working with a third-party SSL vendor.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.