Microsoft: Emergency Patch for IE Flaw Coming Wednesday
Microsoft is signaling that it plans to ship an emergency software update on Wednesday to fix a dangerous security hole in its Internet Explorer Web browser that thousands of compromised Web sites have been using to install malicious software.
Microsoft says the critical flaw is present in all versions of IE, from IE5 all the way up through IE8 Beta 2. In an unusually frank blog post, the company estimated that about 0.2 percent of Windows users worldwide may have been exposed to Web sites containing exploits that try to attack this vulnerability.
While one in every 500 IE users may not sound like a large number, Microsoft said the frequency of attacks is increasing dramatically.
“That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday,” wrote Microsoft’s Ziv Mador and Tareq Saade.
In a blog post on Dec. 13, security firm Trend Micro said it found evidence that at least 6,000 Web sites had been hacked and seeded with code designed to install password-stealing software when vulnerable users visit the sites with IE. And that was three days ago.
This would be the second time this year that Microsoft will have broken out of its monthly patch cycle to address a pressing security problem. In October, Redmond issued an out-of-band release to fix a critical flaw in Windows.
Microsoft usually issues patches on the second Tuesday of each month, but signs that hackers were exploiting an unpatched flaw in all versions of IE showed up the day after this month’s Patch Tuesday. Sometimes known as “Exploit Wednesday,” attackers have begun using this day for exploitation as it gives them the longest lead time until Microsoft gets around to fixing it, unless the company issues an out-of-band update.
Security Fix will have more information on Wednesday, after Microsoft releases the update. Stay tuned. this is from the Washington post last night,.