Microsoft releases emergency update to patch IE bug

After all the recent commotion about the security holes in Java, Microsoft has released an emergency update for Internet Explorer. The update aims to patch a security vulnerability in Internet Explorer that is being used for attacks aimed at government contractors and other organisations.

The update will be automatically installed on affected machines that have automatic updating enabled and fixes a "use after free" bug in Internet Explorer 6, 7 and 8, according to Ars Technica. The update was pushed out to counter an experienced gang of hackers who were exploiting the vulnerability.

Newly identified bug found in Internet Explorer

Microsoft has rushed a new update for IE 6, 7, and 8 out the doors


This comes after the recent update that fixed a remote code execution loophole in the same versions of Internet Explorer. In an update now to its security advisory, Microsoft affirms that it has added a link to Microsoft Fix it solution, "MSHTML Shim Workaround" that prevents exploitation of this issue.

As per our earlier reports, Microsoft had confirmed that it was investigating a loophole affecting Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8. What was worrying about the vulnerability was that once the attacker managed to successfully crack the vulnerability, he could obtain for himself the same user rights as the current user. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft's security advisory revealed further.

The attacker could even go ahead and host malicious websites and then 'convince a user to view the website'. The vulnerability in question was not been found to affect Internet Explorer 9 and Internet Explorer 10. Microsoft revealed further that the vulnerability was in the way IE got through an object in memory that had been deleted or 'has not been properly allocated'.

Microsoft explained that in a web-based attack scenario, an attacker could host a website with the webpage used to exploit this loophole. However, even the advisory agreed that there is no way that an attacker could force a user to access these malicious websites. What he could do instead, was convince them and this he could do by getting them to click links in an email or IMs.

Microsoft, by way of its security advisory, had assured that, "We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. In addition, we are actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability."

Published Date: Jan 15, 2013 03:47 pm | Updated Date: Jan 15, 2013 03:47 pm