Drive-by prompts emergency response from Microsoft
Microsoft is to release an emergency patch for a recently uncovered security flaw in Internet Explorer 6 and 7. It’s also taking the opportunity to fix a few problems which also affect IE8.
The main problem being fixed is that old classic: an Internet Explorer bug which could be exploited to allow remote code execution (effectively giving over control of the computer) after being triggered by a visit to a specially-crafted website. It’s particularly serious as it’s a zero-day bug, meaning hackers were actively exploiting it before Microsoft was aware and taking remedial action.
The specific issue was an invalid pointer reference, which is roughly equivalent to an incorrect signpost within the computer code. Unlike a motorist who’d figure out something was wrong after going round in circles a couple of time, computers don’t adjust well to such problems.
The Protected Mode in Internet Explorer on both Vista and Windows 7 does limit the effects of the bug, though hackers could still get some access to an infected machine.
The company will release the emergency patch (known officially as an out-of-cycle security bulletin) tomorrow. That response appears to have come earlier than many analysts expected, suggesting Microsoft may believe attacks exploiting it are on the increase.
The patch will also include other fixes to Internet Explorer bugs, reportedly including version 8, which had been scheduled for release in the next monthly bulletin on April 13. It’s not know how serious these problems are, though the fixes originally being scheduled for next month suggests they are issues that either aren’t widely known about in the hacker community or there’s no sign of attempts to exploit them. Releasing these fixes now appears to simply be taking advantage of the necessary update, thus helping lighten the load on April 13.
It’s also not been said whether or not the update includes a fix for an Internet Explorer/XP bug which has been exploited recently through hackers producing websites which prompt users to press the F1 button, a prompt Microsoft has warned users not to respond to.
Related Posts:
