X

Microsoft's next Patch Tuesday won't resolve IE zero-day flaw

Next week's patches will shore up holes in Windows and Office, but a permanent fix for the latest bug in Internet Explorer is still in the works.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
See full bio
Lance Whitney
2 min read

Microsoft's regular Patch Tuesday rolls around next week. But one flaw that won't be fixed in the mix is the latest zero-day exploit in Internet Explorer.

Last Saturday, Microsoft warned about the zero-day flaw in IE 6, 7, and 8 that could allow attackers to gain control of Windows computers to host malicious Web sites. In its advisory, the company noted that IE 9 and 10 are unaffected by the vulnerability and suggested a variety of workarounds to those running the older browser versions.

On Monday, the company issued a temporary fix that prevents the flaw from being exploited without forcing users to tweak their browser settings. Microsoft warned that this fix is not designed to replace actual security updates but revealed that it is working on a permanent fix.

"We are actively working on a security update for the issue described by Security Advisory 2794220," Dustin Childs, group manager of Microsoft Trustworthy Computing, said in a statement sent to CNET today.

"At this time, we've seen only a limited number of affected customers," he added. "We take customer protection very seriously and until a security update is released, we encourage people to apply the one-click Fix it solution offered with Security Advisory 2794220 to help ensure protection. Additionally, customers should ensure their anti-malware solution is up-to-date and follow good network hygiene practices, such as enabling a firewall, for added protection against threats."

The flaw can only be exploited if a user is taken to a malicious Web site, typically through an e-mail or instant message. So as always, people should be wary of opening any links in an e-mail or IM that seem suspicious.

Related stories

Among the seven patches due out next week, two are deemed critical, meaning they could allow an attacker to remotely run malware on a vulnerable PC if the user opens a malicious Web page or e-mail. Critical patches are automatically applied as long as Windows updates are set to automatically install.

The two critical patches affect Windows, Office, Microsoft Developer Tools, and Microsoft Server software.

Updated at 9:55 a.m. PT with a statement from Microsoft.