Microsoft Breaks Patch Cycle to Issue IE Patch


Well it has happened before, quite recently in fact – back in October Microsoft rushed out a patch for the RPC exploit, which was the first time in 18 months they had issued an out of band patch.

Now just a couple of months later they are releasing another one (which should be available today – Wednesday December 17th 2008) for the recent remote code execution vulnerability in almost all versions of IE.

It’s the right thing to do though and in terms of PR they had to do it as the mainstream news had gotten hold of this story and they weren’t going to let go.

Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild.

Redmond issued advanced notice for tomorrow’s fix, describing the out-of-cycle patch as protection from “remote code execution.”

Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious nature of the flaw. Although the last time Microsoft broke it’s update cycle was in late October – it was the first time it had done so in about 18 months.

I guess they caved in after the media pressure and the panic starting amongst consumers as the exploit was actually being used in the wild (even though mostly from China sites) it’s still a risk.

It seems like if a vulnerability allows for remote code execution they will issue an adhoc patch to address the issue.

The latest zero-day vulnerability stems from data binding bugs that allows hackers access to a computer’s memory space, allowing attackers to remotely execute malicious code as IE crashes, Microsoft has said.

Although the exploit was at first contained to warez and porn sites hosted on a variety of Chinese domains, the malicious JavaScript code has since spread to more trusted sites though SQL injection. The flaw is primarily being used to steal video game passwords at present, but could potentially be used to retrieve more critical sensitive data from users as well.

The vulnerability is specifically targeted at surfers running IE 7, but it’s also known to affect versions 5, 6, and 8 of the browser as well. All IE users are advised to install the update.

The patch will become available Wednesday at 1 PM EST from auto-update and the Microsoft Download Center. A separate patch will be made available for those running IE8 Beta 2.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


2 Responses to Microsoft Breaks Patch Cycle to Issue IE Patch

  1. Pantagruel December 17, 2008 at 9:48 am #

    Regarding the exploits nature (remote code execution) it’s a good thing MS deceided to issue this out of band fix. There is little pr value in keeping it on the shelves just to stick to the ‘patch tuesday’ cycle.
    The only downside is they deceided on releasing a patch after somewhat of a public uproar instead of auto-update distribute it sooner after the exploit was found.

  2. navin December 17, 2008 at 12:41 pm #

    not tht MS had an option….dunno how far this is true, but I read sumwhere tht the patch issued isn’t actually a cure for the remote code execution exploit but is rather simply a detection tool for the exploit so tht IE can identify bugged sites……MS is supposedly still working on a full blown solution