Microsoft to Release IE Security Patch

Microsoft is planning to patch a zero-day bug in Internet Explorer in March 30 with an out-of-band emergency fix.

The patch plugs a security hole Microsoft first warned about March 9 after attackers began targeting the vulnerability in IE 6 and 7. IE 8 is unaffected.

"We recommend that customers install the update as soon as it is available," blogged Jerry Bryant, group manager of Microsoft Security Response Center communications.

Bryant added, "Additionally, because Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer that were planned for release on April 13."

The driving force behind the release is the zero-day, which is caused by an invalid pointer reference. Under certain conditions, the invalid pointer can be accessed after an object is deleted, and in attempting to access a freed object IE can open itself to remote code execution, Microsoft reported.

According to the company's advisory, attackers can exploit the situation by tricking a user into clicking on a malicious or compromised Web page. There are however some workarounds to mitigate the vulnerability, including changing Internet security zone settings to High. In addition, users can modify the access control list on iepeers.dll.

"Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13 is an indication that attacks against the 'iepeers' vulnerability are on the rise," blogged Wolfgang Kandek, CTO of Qualys.

"If you are still using IE 6 or IE 7, patch immediately," Kandek continued. "But even if you are on IE 8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week."