Microsoft to release patch for IE hole on Thursday

Software giant will issue its out-of-band patch for the hole in Internet Explorer used in the recent attack on Google.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
2 min read

Microsoft said on Wednesday that it will release on Thursday a patch to fix the latest hole in Internet Explorer that was used in the China-based attack on Google and for which an exploit has been released on the Internet since last week.

The company plans to release the patch as close to 10 a.m. PST on Thursday as possible and host a public Webcast at 1 p.m. PST, according to the security advisory.

Microsoft continues to see limited attacks and has only seen evidence of successful attacks against Internet Explorer 6, according to Jerry Bryant, senior security program manager at Microsoft.

"This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical," he said in a statement.

"It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized," Bryant said. "We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released."

Vulnerable software is IE 6 on Microsoft Windows 2000 and IE 6, 7, and 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, Microsoft said.

Microsoft also updated its security advisory on the vulnerability to include technical details to address additional products that may be affected by this vulnerability and to provide guidance related to reports of proof of concept code that bypasses the Data Encryption Protection that can mitigate against attacks.

For an attack to be accomplished, an attacker would have to lure an IE user to a Web site hosting malware that was written to exploit the hole in the browser. This could be done by using social engineering and including a link to the malicious site in an e-mail that looks like it is coming from someone familiar or contains important information. Once a computer is infected, an attacker could take complete control of it.

Microsoft had announced on Tuesday that it would release the out-of-band patch before the next Patch Tuesday in February.

Meanwhile, McAfee announced on Wednesday the availability of a free tool that anyone can use to detect and remove any malware related to "Operation Aurora," the name they have given to the attacks on Google and other companies based on what they believe attackers dubbed it. The "Aurora Stinger" tool from McAfee also includes a link to the cloud-based McAfee Global Threat Intelligence, McAfee Chief Technology Officer George Kurtz said in a blog post. "This means it will also pick up on newly discovered variants in real time without requiring an update to the signature files that come with the tool," he said.

Updated 11:55 a.m. PST with McAfee tool and background on exploit code being in the wild, and information on how an attack could be accomplished.