Updated A rare emergency update from Microsoft to patch a critical vulnerability in Internet Explorer will be released on Thursday.
The update will mark only the
10th 12th time Microsoft has issued a security update outside of its normal schedule since 2003, when it began issuing patches on the second Tuesday of each month. It will come a week after the world learned an attack exploiting the potent IE flaw was used to pierce the defenses of Google and at least some of the other 33 large companies that suffered similar assaults.
Microsoft researchers said that they continue to see only limited attacks that exploit the bug and that, so far, they have only succeed against IE 6. But, as reported Tuesday, researchers elsewhere said they have figured out how to bypass security measures offered in later versions of the widely used browser, making it theoretically possible to compromise a much broader base of PCs.
What's more, researchers from anti-virus firm McAfee report they are seeing copycat attacks with exploits modified to install a wide variety of malware. The new attacks are being reported by Chinese users visiting Chinese websites, but the researchers said exploits elsewhere are likely, now that attack code has gone public.
"Given that exploit code is readily available, this is likely the tip-of-the tip of the iceberg in terms of the domains and malware we are likely to see over the next few weeks (and we can expect to see new exploit and related malware variants for many months, if not years, to come)," Craig Schmugar, a threat researcher at McAfee Avert Labs, wrote.
More detail on the follow-on exploits - which came from 8866.org and 3322.org - is here.
Microsoft said the emergency patch will be issued as close to 10 am Seattle time as possible and will contain fixes for several other vulnerabilities as well. The company recommends users install it as soon as possible. The patch will require users to restart their machines.
For the first time, Microsoft said the vulnerability could also be exploited to attack users of its email and office productivity software. Thursday's patch will close holes in those programs as well. Users of Microsoft Access, Word, Excel, or PowerPoint can workaround the issue by disabling ActiveX Controls.
No doubt, members of Microsoft's security team have been working around the clock to fix this bug since learning of it last week. Their work won't be easy, software analyst Geoff Chappell said in this exhaustive dissection of the underlying flaw in a component called MSHTML and the code that exploited it.
"This is not one of those bugs that is caused just by a line or two in the source code and which might be fixed by patching the binary code, if only while waiting for a proper update from the manufacturer," he wrote. "If I am right, MSHTML has a potentially wide-ranging problem with the reference counting of nodes. Any update that doesn't obviously look like having dealt with this ought not be accepted as a fix." ®
This article was updated to add details about email and Office software and analysis about the MSHTML component.