Microsoft to issue IE patch for Google attack flaw

Microsoft will take the unusual step of issuing an out-of-cycle patch for the Internet Explorer flaw thought to have been central to the cyberattacks against Google and other companies.

The company announced Tuesday that "given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves, and the escalating threat environment, Microsoft will release a security update out-of-band for this vulnerability." Microsoft didn't say exactly when it would release the patch, but promised more details Wednesday.

Microsoft normally releases patches for its software on Patch Tuesday, as it has come to be known, so that corporations that use Microsoft products will know what's coming and can plan accordingly. But every now and then it will break with that pattern upon the discovery of an important flaw or vulnerability that requires a fast fix, since Patch Tuesday only comes once a month. The next Patch Tuesday is scheduled for February 9.

The vulnerability at issue in the cyberattacks that have prompted a showdown between Google and China affects versions 6, 7, and 8 of Internet Explorer, although Microsoft said that attacks have only been successful on systems running IE 6. The company advised IE users to upgrade to Internet Explorer 8 to protect themselves against attacks.

The news comes after researchers from Vupen Security reported that technology designed to mitigate attacks in newer versions of IE can be bypassed.

Asked to comment on that, a Microsoft spokeswoman said: "Microsoft is investigating claims of the ability to bypass the Data Execution Prevention (DEP) feature in Internet Explorer. Once we're done investigating, we will take appropriate action to help protect customers."

Updated at 1:32 p.m. PST with report of ability to bypass Microsoft DEP technology and Microsoft comment.