In the wake of highly-publicized attacks on Google China and as many as 20 other firms last week, Microsoft announced on Tuesday it will release a so-called “out-of-band” patch for the zero-day
Ordinarily, Microsoft (NASDAQ: MSFT) releases most of its patches on the second Tuesday of the month, thereby earning the title “Patch Tuesday.” Because of the urgency created by the presence of active attacks in the wild, Microsoft will ship the patch for the new flaw as soon as it is coded, tested, and ready to distribute — thus the term “out-of-band.”
Google (NASDAQ: GOOG) first disclosed last week that it had experienced attacks that appeared to originate in China when it threatened to quit serving the Chinese search market due to what it deemed unacceptable censorship of its content by the government of the People’s Republic.
That was followed by disclosure later last week by Microsoft and Symantec (NASDAQ: SYMC) that a previously unknown zero-day hole in Internet Explorer had provided one of the key avenues for the attacks.
Microsoft first issued a Security Advisory regarding the zero-day hole, including a couple of workarounds that can help to block such attacks. A Security Advisory differs from a Microsoft Security Bulletin in that a Bulletin always includes a software patch but an Advisory does not. So at that time, the company was only contemplating a patch.
“I wanted to provide an update on the recent Internet Explorer (IE) vulnerability and let you know that Microsoft will release a security update out-of-band to help protect customers from possible attacks,” George Stathakopoulos, general manager of the Microsoft Security Response Center (MSRC), said in an e-mail to InternetNews.com. Timing for when that patch will be delivered won’t come until Wednesday, however.
Although the hole exists in all supported combinations of IE and Windows, apparently IE6 has been the largest focus for hackers.
” The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6,” Stathakopoulos added in a post on the MSRC blog.
“Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time,” the post continued.
While users are waiting for the patch release, they can implement the workarounds discussed in last week’s Security Advisory. Those include ratcheting up IE’s security for both the Internet Zone and Local Intranet Zone to “high.”
In the meantime, users and administrators will have to play a waiting game.