Microsoft officials say the company is prepping a patch for its Internet Explorer browser to plug the vulnerability exploited by the Download.Ject attacks in June. The patch is expected sometime next week, several weeks before the next scheduled batch release of security fixes.
In late June, security concerns over IE were raised following several serious exploits, including Download.Ject, which allowed Microsoft IIS (Internet Information Services) Web servers to install a keystroke logger and other malware code to steal passwords and other personal data.
While Microsoft Corp. earlier this month released a Download.Ject Payload Detection and Removal Tool, as well as an early fix described as a “configuration change” for Windows ADODB.Stream component, the company had promised customers a more comprehensive fix.
At the time, Dean Hachamovitch, who heads the IE development team, said in a public chat on the subject: “We have people working around the clock on it.”
That time looks to be soon, as Hachamovitch on Wednesday said in a weekly, security-focused Webcast that the fix will arrive sometime next week.
Read more about the issues raised in the online discussion over the use of IE in the enterprise.
A Microsoft spokeswoman declined to offer a more exact date for the release, adding that the patch would be released when the company determines it has an “effective and quality fix for all [supported] versions of IE.”
The experiences with Download.Ject and other recent shell vulnerabilities have led some IT managers to ask if the browsers themselves are to blame—or is Windows itself just not safe? Check out this face-off on the browser wars between Linux and Windows.
The forthcoming patch release is out of order, the company admits, revealing the critical nature of the patches as well as addressing the concerns expressed by customers over the recent issues with the browser. The last scheduled “Patch Day” was July 13, when the company released several “critical” updates.