Microsoft Breaks Patch Cycle to Issue IE Patch

The New Acunetix V12 Engine


Well it has happened before, quite recently in fact – back in October Microsoft rushed out a patch for the RPC exploit, which was the first time in 18 months they had issued an out of band patch.

Now just a couple of months later they are releasing another one (which should be available today – Wednesday December 17th 2008) for the recent remote code execution vulnerability in almost all versions of IE.

It’s the right thing to do though and in terms of PR they had to do it as the mainstream news had gotten hold of this story and they weren’t going to let go.

Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild.

Redmond issued advanced notice for tomorrow’s fix, describing the out-of-cycle patch as protection from “remote code execution.”

Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious nature of the flaw. Although the last time Microsoft broke it’s update cycle was in late October – it was the first time it had done so in about 18 months.

I guess they caved in after the media pressure and the panic starting amongst consumers as the exploit was actually being used in the wild (even though mostly from China sites) it’s still a risk.

It seems like if a vulnerability allows for remote code execution they will issue an adhoc patch to address the issue.

The latest zero-day vulnerability stems from data binding bugs that allows hackers access to a computer’s memory space, allowing attackers to remotely execute malicious code as IE crashes, Microsoft has said.

Although the exploit was at first contained to warez and porn sites hosted on a variety of Chinese domains, the malicious JavaScript code has since spread to more trusted sites though SQL injection. The flaw is primarily being used to steal video game passwords at present, but could potentially be used to retrieve more critical sensitive data from users as well.

The vulnerability is specifically targeted at surfers running IE 7, but it’s also known to affect versions 5, 6, and 8 of the browser as well. All IE users are advised to install the update.

The patch will become available Wednesday at 1 PM EST from auto-update and the Microsoft Download Center. A separate patch will be made available for those running IE8 Beta 2.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking


Latest Posts:


NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.
Powershell-RAT - Gmail Exfiltration RAT Powershell-RAT – Gmail Exfiltration RAT
Powershell-RAT is a Python-based Gmail exfiltration RAT that can be used a Windows backdoor to send screenshots or other data as an e-mail attachment.
SCADA Hacking - Industrial Systems Woefully Insecure SCADA Hacking – Industrial Systems Woefully Insecure
It seems like SCADA hacking is still a topic in hacker conferences, and it should be with SCADA systems still driving power stations, manufacturing plants etc.
airgeddon - Wireless Security Auditing Script airgeddon – Wireless Security Auditing Script
Airgeddon is a Bash powered multi-use Wireless Security Auditing Script for Linux systems with an extremely extensive feature list.
Acunetix v12 - Pause & Resume Acunetix v12 – More Comprehensive More Accurate & 2x Faster
Acunetix, the pioneer in automated web application security software, has announced the release of Acunetix v12 - more comprehensive, accurate & 2x faster.


2 Responses to Microsoft Breaks Patch Cycle to Issue IE Patch

  1. Pantagruel December 17, 2008 at 9:48 am #

    Regarding the exploits nature (remote code execution) it’s a good thing MS deceided to issue this out of band fix. There is little pr value in keeping it on the shelves just to stick to the ‘patch tuesday’ cycle.
    The only downside is they deceided on releasing a patch after somewhat of a public uproar instead of auto-update distribute it sooner after the exploit was found.

  2. navin December 17, 2008 at 12:41 pm #

    not tht MS had an option….dunno how far this is true, but I read sumwhere tht the patch issued isn’t actually a cure for the remote code execution exploit but is rather simply a detection tool for the exploit so tht IE can identify bugged sites……MS is supposedly still working on a full blown solution