Microsoft moves after various websites serve up exploits for an unpatched flaw in the browser
Microsoft has confirmed it will issue an out-of-band patch to cover a zero-day flaw in Internet Explorer, excluding versions 9 and 10.
The memory corruption flaw was flagged at the start of the year, leading Microsoft to offer a workaround for users whilst it worked on a proper patch.
Yet researchers at vulnerability expert Exodus Intelligence found a way to easily get around the Fix It solution and thereby exploit the flaw.
Microsoft will be releasing a patch later today, which should see the problem eradicated entirely.
Internet Explorer getting in a fix
“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future. The bulletin has a severity rating of Critical,” Microsoft noted in a blog post.
“We recommend that you install this update as soon as it is available. This update for Internet Explorer 6-8 will be made available through Windows Update and our other standard distribution channels.
“If you have automatic updates enabled on your PC, you won’t need to take any action. If you applied the Fix it released in Security Advisory 2794220, you won’t need to uninstall it before applying the security update.”
Researchers have found a number of websites serving up exploits targeting the flaw, including US-based think-tank Council on Foreign Relations and Capstone Turbine, a US micro-turbine manufacturer.
Symantec suggested the Elderwood Group of hackers were exploiting the vulnerability. The collective was suspected to have been involved in the hit on Google in the famous Aurora attacks of 2009/10.
What do you know about online security? Try our quiz and find out!