14 DAY TRIAL // Microsoft is not going to wait for its next patch cycle release in February in order to provide an update for a security vulnerability affecting Internet Explorer. George Stathakopoulos, general manager, MSRC, has confirmed officially that the software giant will release an out-of-band security update for Internet Explorer, the full details of which will be shared later today, January 20, 2010. It’s not uncommon for Microsoft to make available out-of-band security updates for its products, albeit it only happens on extremely rare occasions.
As far as the process of issuing security updates goes, Microsoft has opted for monthly releases in order to get customers, especially corporations, a chance to adhere to a comprehensive program of patches, with releases offered on Patch Tuesday, the second Tuesday of each month. Whenever the company breaks this cycle, it does so with an out-of-band update, but only for vulnerabilities that meet certain criteria.
“Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability,” Stathakopoulos stated. “We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time.”
The new invalid pointer reference Internet Explorer zero-day vulnerability, already exploited in the wild, certainly qualifies for an out-of-band patch. The security hole in question was confirmed as one of the vectors used by Chinese-based attackers in recent hacks against a number of US companies, including Google. After details of the vulnerability were made public, with exploits and attacks confirmed and Proof-of-Concept available in the wild, Microsoft has rushed to patch the vulnerability.
“Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks. To date, the only successful attacks that we are aware of have been against Internet Explorer 6. We continue to recommend customers update to Internet Explorer 8 to benefit from the improved security protection it offers. We also recommend customers consider deploying the workarounds and mitigations provided in Security Advisory 979352,” Stathakopoulos added.
Internet Explorer 8 is available for download here.