Download Index

In-Depth Reviews

Tips & Tutorials

Updates

News

Browsers

Chat / Conferencing

Desktop Utilities

Development

Internet Apps

Multimedia

OS Service Packs

Productivity Tools

Download of the day • Adobe Flash Player

Most Popular Software Downloads • Windows Vista Service Pack 2 (Vista SP2) • Mozilla Firefox 3 • QuickTime for Windows • Adobe Flash Player • Windows 7 • Norton Internet Security 2010 • Internet Explorer 8 • CCleaner (Crap Cleaner) • Winamp • Skype Most Popular Software Articles • Windows Vista Tips: Home Networking Setup Tutorial • 10 Must-Have Apps: The Free Windows Networking Toolkit • How to Make Your Internet Connection Faster, Better

Microsoft Set to Fix IE Zero Day Flaw
Out-of-Cycle Patch for IE Expected Wednesday
Sean Michael Kerner

Microsoft is set to release an out-of-cycle patch for the zero-day IE flaw that has left users at risk since Thursday December 11th when the flaw was first reported.

The patch is expected tomorrow and for many users, won't come too soon.

The flaw is rooted in IE's XML parser and affects all versions of IE. The flaw could allow an attacker to execute arbitrary code on a Windows PC. The attack vector used for exploiting the flaw has been primarily by way of infected Web sites that an IE user visits.

Microsoft expanded its advisory regarding the flaw last Friday, December 12th.

"At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," Christopher Budd, Microsoft security response communications lead, said in a statement e-mailed to InternetNews.com. "Microsoft encourages customers to test and deploy this update as soon as possible."

As of Saturday December 13th, Microsoft reported that roughly 0.2 percent of IE users worldwide may have visited Web sites that are exploiting the vulnerability.

"That percentage may seem low. However it still means that a significant number of users have been affected," Ziv Mador and Tareq Saade wrote on the Microsoft Threat Research and Response Blog. "The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday."

Trend Micro Advanced Threats Researcher Ivan Macalintal estimated the number of infected sites to be at 6,000 as of Saturday and growing. The use of websites as a delivery mechanism for attack is one that has grown significantly in 2008. Cisco's 2008 annual security report found that exploited Web sites in 2008 were responsible for 87 percent of all web based threats

The Microsoft IE update will be delivered at 10 AM PT on Wednesday Dec 17th though the Microsoft Update site and will be pushed to Microsoft Update users via automatic updates.

The IE XML zero day flaw was missed in Microsoft's December Patch Tuesday update, which included four separate IE vulnerabilities. The next regularly scheduled Patch Tuesday update from Microsoft is not expected until January 9, 2009.

Out of cycle patches are uncommon, but not unheard of for Microsoft.

The company issued several out of cycle patches for IE over the years, including one for a URL spoofing flaw. 2004 also saw and out of cycle patch for an IFRAME (define) flaw that Microsoft had originally denied. would be fixed out of cycle.

News courtesy of internetnews.com

December 17, 2008

Download Internet Explorer Now!

Download Microsoft Windows Malicious Software Removal Tool Now!

View All Microsoft Service & Security Releases

Contents:
1. Out-of-Cycle Patch for IE Expected Wednesday

Additional Articles: