Microsoft IE Patch for Zero-Day Vulnerability Coming Jan. 21

Microsoft will release an out-of-band patch Jan. 21 to fix the Internet Explorer vulnerability at the center of recent attacks on Google and other enterprises.

According to Microsoft, the patch is slated to be ready around 1 p.m. EST. If all goes according to plan, the patch will close a hole that has prompted France and Germany to advise users to avoid IE and the U.S. State Department to demand answers from China.

Attackers have used the vulnerability to hit IE 6. Microsoft so far has said it has only seen limited, targeted attacks using the vulnerability.

Meanwhile, security researchers have continued to uncover information about the origin of the attack. Joe Stewart, director of malware research for SecureWorks' Counter Threat Unit, said his analysis of the code for the main Trojan involved in the attacks shows a more direct link to China.

According to Stewart, the code includes a CRC (cyclic redundancy check) algorithm implementation released as part of a Chinese-language paper on optimizing CRC algorithms for use in microcontrollers.

"This CRC -16 implementation seems to be virtually unknown outside of China, as shown by a Google search for one of the key variables, 'crc_ta[16],'" Stewart noted in a SecureWorks blog post Jan. 20. "At the time of this writing, almost every page with meaningful content concerning the algorithm is Chinese."

Up until this finding, Stewart told eWEEK, the factors leading people to point to China were patterns similar to previous Chinese malware.

"Unfortunately, when investigating malware, nothing is conclusive because digital evidence can be forged," he said. "However, I believe the use of the Chinese algorithm certainly gives more credence to the attack code being Chinese in origin."

Researchers at Symantec noted seeing the Hydraq Trojan used in an attack campaign in July 2009 that spread using vulnerabilities in Adobe Reader, Acrobat and Flash Player. Attack code for the IE vulnerability meanwhile was observed circulating the Web the week of Jan. 11 by McAfee. So far, IE 6 is the only version of the browser that is known to have been successfully targeted by attackers.

However, Vupen Security developed an exploit that worked on IE 8 and bypassed DEP (Data Execution Prevention) protections. The best defense for those worried about the issue is to disable JavaScript, according to Vupen.

"Microsoft has no choice but to release an out-of-band patch for this; with France and Germany having issued notices warning people of the perils of using Microsoft's Internet Explorer, the exploit's role in compromising Microsoft's 'archrival' Google, among others, and widespread press coverage, Microsoft found itself in a precarious position," said Josh Phillips, virus researcher with Kaspersky Lab.

"On top of the widespread publicity, public release of the exploit has led to the discovery that under certain conditions, even the latest versions of Internet Explorer are exploitable when running on Windows Vista and Windows XP."