Microsoft Corp. is working on a plan to release an out-of-cycle patch to cover a gaping hole in its dominant Internet Explorer browser.
Sources say the MSRC (Microsoft Security Response Center) is aggressively aiming to release the emergency IE fix ahead of the December 13 Patch Tuesday schedule.
Officially, the company isnt commenting on a timeline for the IE patch. A Microsoft spokeswoman said the creation of security updates is "an extensive process involving a series of sequential steps."
"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges."
However, a source familiar with the companys thinking said the out-of-cycle update is dependent on the patch holding up through a "very rigorous" quality assurance testing process.
"If the patch isnt ready from a quality standpoint, it wont be released. But with an attack already underway, I think youll see an emergency patch," the source said.
Alex Eckelberry, president of anti-spyware vendor Sunbelt Software, said his company first detected the drive-by downloads earlier this week and reported its findings to Microsoft.
"This is a pretty nasty exploit. You just have to visit the [malicious] site and your computer gets hosed. Its dropping a Trojan downloader that takes control of the victims machine," Eckelberry said in an interview.
Sunbelt Software researchers have confirmed the exploit is being launched from a handful of malicious Web sites.
He said the drive-by exploit was successfully loading pornography-themed spyware programs on fully patched Windows XP SP2 machines.
"If theres one time Microsoft needs to go out-of-cycle with a patch, this is it," Eckelberry declared.
Stephen Toulouse, an MSRC program manager, said Microsofts anti-virus engine has been updated to detect the latest attack, which drops a piece of malware called TrojanDownloader:Win32/Delf.DH.
Anti-virus vendor McAfee Inc. identified it as JS/Exploit-BO.gen and confirmed it was using the zero-day "Window()" remote code execution exploit released last week by a UK-based group called "Computer Terrorism."
Eckelberry said that he was aware that Kaspersky Lab and Symantec Corp. had updated its virus definitions to detect the latest attack.
In Microsofts advisory, the company recommends that customers can visit its new Windows Live Safety Center and use the "Complete Scan" option to check for and remove the malicious software and future variants.
The Safety Center, which is part of the companys new Windows Live initiative, lets customers run free Web-based computer scans to detect and remove viruses and other known malware.
It currently works only on IE and uses an ActiveX Control to scan for and remove viruses. It is also capable of detecting vulnerabilities on Internet connections.
Johannes Ullrich, chief research officer at the SANS ISC (Internet Storm Center), said in a recent interview that the severity of the vulnerability and the public release of exploit code should force Microsoft into releasing an out-of-cycle update.
"This one certainly qualifies for an emergency patch. How much worse can it get? At this stage, you really cant wait for next month to get a fix out there," Ullrich said.
Since moving to a monthly release cycle in late 2003, Microsoft has released three out-of-cycle patches, all for "critical" IE flaws.