Microsoft races to plug IE hole after exploit code released

Software giant's patch process speeds up after researcher releases code on Net that can be used to target the vulnerability and take over PCs.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Microsoft said on Friday it is testing a patch to fix a new hole in Internet Explorer 6 and IE 7 following the release of exploit code on the Internet.

With the announcement it seems increasingly likely that the company will be issuing a patch for the hole before the next Patch Tuesday in about four weeks, if the testing of the patch goes quickly.

Microsoft warned about the hole, which it said was being targeted in attacks and could allow an attacker to take control of a computer, in an advisory on Tuesday. The next day, Israeli researcher Moshe Ben Abu released exploit code for the vulnerability after using clues in a McAfee blog post to find existing exploit code and pinpointing the weakness from there.

"We have seen speculation that Microsoft might release an update for this issue out of band. I can tell you that we are working hard to produce an update which is now in testing," Jerry Bryant, senior security communications manager lead at Microsoft, wrote in a post on the Microsoft Security Response Center blog.

"This is a critical and time-intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications," he wrote. "We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs."

Microsoft included workaround information in its initial advisory on the hole, which does not affect IE 8, and on Friday updated Security Advisory 981374 to add more information on workarounds following Ben Abu's work.

"With today's update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers," Bryant said. "As always, customers should test this thoroughly before deploying as certain functionality that depends on the peer factory class, such as printing from Internet Explorer and the use of Web folders, may be affected."