Microsoft's next Patch Tuesday won't resolve IE zero-day flaw
Next week's patches will shore up holes in Windows and Office, but a permanent fix for the latest bug in Internet Explorer is still in the works.
Microsoft's regular Patch Tuesday rolls around next week. But one flaw that won't be fixed in the mix is the latest zero-day exploit in Internet Explorer.
Last Saturday, Microsoft warned about the zero-day flaw in IE 6, 7, and 8 thatto host malicious Web sites. In its advisory, the company noted that IE 9 and 10 are unaffected by the vulnerability and suggested a variety of workarounds to those running the older browser versions.
On Monday, the companythat prevents the flaw from being exploited without forcing users to tweak their browser settings. Microsoft warned that this fix is not designed to replace actual security updates but revealed that it is working on a permanent fix.
"We are actively working on a security update for the issue described by Security Advisory 2794220," Dustin Childs, group manager of Microsoft Trustworthy Computing, said in a statement sent to CNET today.
"At this time, we've seen only a limited number of affected customers," he added. "We take customer protection very seriously and until a security update is released, we encourage people to apply the one-click Fix it solution offered with Security Advisory 2794220 to help ensure protection. Additionally, customers should ensure their anti-malware solution is up-to-date and follow good network hygiene practices, such as enabling a firewall, for added protection against threats."
The flaw can only be exploited if a user is taken to a malicious Web site, typically through an e-mail or instant message. So as always, people should be wary of opening any links in an e-mail or IM that seem suspicious.
Among the seven patches due out next week, two are deemed critical, meaning they could allow an attacker to remotely run malware on a vulnerable PC if the user opens a malicious Web page or e-mail. Critical patches are automatically applied as long as Windows updates are set to automatically install.
The two critical patches affect Windows, Office, Microsoft Developer Tools, and Microsoft Server software.
Updated at 9:55 a.m. PT with a statement from Microsoft.