Microsoft is planning an out-of-band patch for the Internet Explorer vulnerability attackers exploited to hit Google and other companies.
Microsoft plans to release an out-of-band patch to plug the zero-day
security hole exploited
recently in attacks on Google
and other companies.
George Stathakopoulos, general manager of Microsoft's Trustworthy Computing
Security group, announced that Microsoft
would offer a timeline for the patch
Jan. 20. The company's move follows news
and Germany are encouraging users to shun Internet Explorer
for now in
favor of other browsers.
In addition, researchers from Vupen Security reported Jan. 19 that the
company had developed exploit code that could circumvent the DEP (Data
Execution Prevention) mechanism in IE 8, which so far is not known to have been
targeted by attackers.
However, Vupen CEO Chaouki Bekrar said the Vupen exploit is not publicly
and was distributed exclusively to IPS
(intrusion prevention system), IDS (intrusion detection system) and anti-virus
vendors that are members of the Vupen In-Depth Vulnerability Analysis and
"We used in-house and undisclosed methods to bypass permanent DEP and
reliably execute arbitrary code," Bekrar said. "We first used and
improved this method a few weeks ago when we exploited another Internet
Explorer 8 vulnerability."
In the past few days, France
have advised their citizens to switch from IE to other browsers as they await a
patch from Microsoft. Attack
code for the vulnerability
meanwhile continues to appear on the Internet,
though so far it seems to have only been used successfully in targeted attacks
focused on IE 6.
"The recommendations from France
seem to be an overreaction to the actual risk," opined Andrew Storms,
director of security operations at nCircle. "In my opinion, this reaction
should be considered in the context of the contentious and litigious
relationship that many EU countries have with Microsoft in general. This is a
perfect example of people looking at something that's happening in the threat
environment and generalizing the threat from an emotional reaction instead of
really quantifying risk that is specific to their business."
For its part, Microsoft is still recommending that users upgrade to IE 8 as
they wait for a patch.
"We take the decision to go out-of-band very seriously given the impact
to customers, but we believe releasing an update out-of-band update is the
right decision at this time," Stathakopoulos wrote on the Microsoft Security
Response Center blog.