Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Microsoft to push out emergency patch
Published: 2008-12-16

Microsoft alerted customers on Tuesday that the company would deliver an update the following day to fix a flaw in all versions of its Internet Explorer browser, after online criminals accelerated their exploitation of the issue.

The software giant first described the issue last week as a problem in the way Internet Explorer handles a particular object in memory, potentially causing an exploitable crash. Microsoft had estimated on Saturday that only 0.2 percent of Internet Explorer users had been exposed to attacks using the unpatched vulnerability, but acknowledged that the number was rapidly increasing.

"In response to the threat to customers and mindful of the challenges customers face deploying updates during this time of year, Microsoft immediately mobilized security engineering teams worldwide to develop, test and deliver a security update of appropriate quality for worldwide distribution in the unprecedented time of eight days," the company said Tuesday in a statement.

In a post to the Microsoft's Malware Protection Center blog on Saturday, two of its analysts wrote that attackers were using legitimate and pornographic Web sites to host exploits for the vulnerability. The software giant had originally believed the vulnerability affected only Internet Explorer 7, but late last week discovered that the issue affects all versions of the browsers on all Windows operating systems.

While less than a percent of users had possibly been affected, the Microsoft analysts warned that the use of the attack was accelerating.

"That percentage may seem low, however it still means that a significant number of users have been affected," Ziv Mador and Tareq Saade said in the blog post. "The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday."

The software giant recommended workarounds in its advisory on the issue.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus