Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.
[ UPDATE: Here is the official confirmation from Microsoft that an out-of-band patch is coming. No official date yet ]
The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend.
The decision to ship the IE patch outside of Microsoft’s scheduled Patch Tuesday releases follows the release of exploit code into the Metasploit attack tool.
The Metasploit code only works against Internet Explorer 6 but there are claims in the security research community that the vulnerability has been successfully exploited on IE7 (Windows Vista) as well as IE6 and on Windows XP.
The vulnerability was discovered during zero-day attacks against several big-name U.S. companies, including Google, Adobe and Juniper Networks. During those attacks, data-stealing malware exploited the flaw against systems running IE6 on Windows XP.
Microsoft says the ongoing attacks remain “targeted to a very limited number of corporations” and are only effective against Internet Explorer 6. However, with the exploit code now in Metasploit, malware purveyors could begin tinkering with exploits geared to newer versions of the browser.
Now, Microsoft is imploring its customers to upgrade immediately to IE 8. A special guidance page has been published to offer information on how to mitigate this vulnerability and avoid attacks.
Microsoft’s Security Research & Defense team has created and released a one-click “Fix It” tool to allow users to enable DEP (Data Execution Prevention) on older versions of the browser. DEP, a crucial anti-exploit mitigation, is enabled by default on IE8 only.
Here is a video showing the Metasploit exploit in action.
(Video via Praetorian Prefect)