A week after Microsoft patched its Internet Explorer (IE) web browser for 10 privately reported security issues, the company on Sept. 17 warned about a new issue. That’s right, Microsoft after all of its patching of IE in recent months, missed one.
In its advisory, Microsoft noted that is investigating public reports of a remote code execution vulnerability in IE.
“The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” the advisory explains. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.”
It’s a serious issue, but there is not a formal patch available (yet). Instead, Microsoft is issuing what is known as a “fix-it,”which will mitigate the risk but is not automatically available to Windows users via the normal Microsoft Update mechanism.
In a blog post, Qualys CTO Wolfgang Kandek noted that currently the attack is geographically limited to Japan, but he expects that to change soon now that Microsoft has published its advisory.
“Other attackers can now analyze the condition fixed and will be able to produce an equivalent exploit fairly quickly,” Kandek wrote. “Therefore, we suggest applying the fix-it as soon as possible if you use IE to access the Internet.”
Given the difficulties that Microsoft has had lately with updates, this latest issue is likely to cause some grumbling among enterprise administrators. I recently wrote about Microsoft’s fumbled Outlook update, but that was not a zero-day, it was just a flaw that messed up people’s email.
It’s not clear (yet) whether Microsoft knew about this issue before today and had been planning on patching this next month. What is clear to me is that Microsoft patches IE every month. More often than not, Microsoft notes in its advisories that the IE flaws were responsibly disclosed, but it’s apparent that there are also some flaws that aren’t first reported to Microsoft, before they are exploited in the wild by attackers.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.