Microsoft will issue a security update for Internet Explorer March 30 to address a zero-day vulnerability that has left users of IE 6 and IE 7 under attack.
Microsoft is planning to patch
a zero-day bug in Internet Explorer
in March 30 with an out-of-band
The patch plugs a security hole Microsoft first warned about March 9 after
attackers began targeting the vulnerability
in IE 6 and 7.
IE 8 is unaffected.
"We recommend that customers install the update as soon as it is
group manager of Microsoft Security Response Center
Bryant added, "Additionally, because Security Bulletin MS10-18 is a
cumulative update, it will also address nine other vulnerabilities in Internet
Explorer that were planned for release on April 13."
The driving force behind the release is the zero-day, which is caused
by an invalid pointer reference. Under certain conditions, the invalid pointer
can be accessed after an object is deleted, and in attempting to access a freed
object IE can open itself to remote code execution, Microsoft reported.
According to the company's advisory, attackers
the situation by tricking a user into clicking on a malicious
or compromised Web page. There are however some workarounds to mitigate
the vulnerability, including changing Internet security zone settings to
High. In addition, users can modify the access control list on iepeers.dll.
"Microsoft's decision to accelerate the release rather than waiting
until next Patch Tuesday on April 13 is an indication that attacks against the 'iepeers'
vulnerability are on the rise," blogged Wolfgang Kandek, CTO
"If you are still using IE 6 or IE 7, patch immediately," Kandek
continued. "But even if you are on IE 8 you should patch as quickly as
possible, as attackers will start reverse engineering the flaws addressed and
preparing corresponding exploits within the week."