Microsoft Set to Fix IE Zero Day Flaw

Microsoft is set to release an out of cycle patch for the zero day IE flaw that has left users at risk since Thursday December 11th when the flaw was first reported.

The patch is expected tomorrow and for many users, won’t come too soon.

The flaw is rooted in IE’s XML parser and affects all versions of IE. The flaw could allow an attacker to execute arbitrary code on a Windows PC. The attack vector used for exploiting the flaw has been primarily by way of infected Web sites that an IE user visits.

Microsoft expanded its advisory regarding the flaw last Friday, December 12th.

“At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7,” Christopher Budd, Microsoft security response communications lead, said in a statement e-mailed to “Microsoft encourages customers to test and deploy this update as soon as possible.”

As of Saturday December 13th, Microsoft reported that roughly 0.2 percent of IE users worldwide may have visited Web sites that are exploiting the vulnerability.

“That percentage may seem low. However it still means that a significant number of users have been affected,” Ziv Mador and Tareq Saade wrote on the Microsoft Threat Research and Response Blog. “The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday.”

Trend Micro Advanced Threats Researcher Ivan Macalintal estimated the number of infected sites to be at 6,000 as of Saturday and growing. The use of websites as a delivery mechanism for attack is one that has grown significantly in 2008. Cisco’s 2008 annual security report found that exploited Web sites in 2008 were responsible for 87 percent of all web based threats

The Microsoft IE update will be delivered at 10 AM PT on Wednesday Dec 17th though the Microsoft Update site and will be pushed to Microsoft Update users via automatic updates.

The IE XML zero day flaw was missed in Microsoft’s December Patch Tuesday update which included four separate IE vulnerabilities. The next regularly scheduled Patch Tuesday update from Microsoft is not expect until January 9, 2009.

Out of cycle patches are uncommon, but not unheard of for Microsoft.

The company issued several out of cycle patches for IE over the years, including one for a URL spoofing flaw. 2004 also saw and out of cycle patch for an IFRAME flaw that Microsoft had originally denied. would be fixed out of cycle.

News Around the Web