Microsoft rushes to patch zero-day IE hole

Out-of-band fix on Tuesday will address nine vulnerabilities, including a critical zero-day hole disclosed three weeks ago that affects Internet Explorer 6 and 7.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills

Microsoft will release an emergency update on Tuesday for Internet Explorer that fixes nine vulnerabilities, including one that has been exploited in attacks on IE6 and IE7 systems, the company said on Monday.

Microsoft warned of the attacks three weeks ago, releasing Security Advisory 981374 during its most recent Patch Tuesday.

IE logo

The zero-day IE hole could allow an attacker to take control of a machine if a user visited a malicious Web site. Users of IE8 and Windows 7 are not vulnerable to that particular flaw, Microsoft said in its bulletin notification. However, all current versions of Windows are listed as affected by the cumulative patch because there are nine vulnerabilities being addressed, according to a Microsoft Security Response Center blog post.

"Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the 'iepeers' vulnerability are on the rise," Wolfgang Kandek, chief technology officer of Qualys, wrote in a blog post. "If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week."