[ad]
Well it has happened before, quite recently in fact – back in October Microsoft rushed out a patch for the RPC exploit, which was the first time in 18 months they had issued an out of band patch.
Now just a couple of months later they are releasing another one (which should be available today – Wednesday December 17th 2008) for the recent remote code execution vulnerability in almost all versions of IE.
It’s the right thing to do though and in terms of PR they had to do it as the mainstream news had gotten hold of this story and they weren’t going to let go.
Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild.
Redmond issued advanced notice for tomorrow’s fix, describing the out-of-cycle patch as protection from “remote code execution.”
Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious nature of the flaw. Although the last time Microsoft broke it’s update cycle was in late October – it was the first time it had done so in about 18 months.
I guess they caved in after the media pressure and the panic starting amongst consumers as the exploit was actually being used in the wild (even though mostly from China sites) it’s still a risk.
It seems like if a vulnerability allows for remote code execution they will issue an adhoc patch to address the issue.
The latest zero-day vulnerability stems from data binding bugs that allows hackers access to a computer’s memory space, allowing attackers to remotely execute malicious code as IE crashes, Microsoft has said.
Although the exploit was at first contained to warez and porn sites hosted on a variety of Chinese domains, the malicious JavaScript code has since spread to more trusted sites though SQL injection. The flaw is primarily being used to steal video game passwords at present, but could potentially be used to retrieve more critical sensitive data from users as well.
The vulnerability is specifically targeted at surfers running IE 7, but it’s also known to affect versions 5, 6, and 8 of the browser as well. All IE users are advised to install the update.
The patch will become available Wednesday at 1 PM EST from auto-update and the Microsoft Download Center. A separate patch will be made available for those running IE8 Beta 2.
Source: The Register
Pantagruel says
Regarding the exploits nature (remote code execution) it’s a good thing MS deceided to issue this out of band fix. There is little pr value in keeping it on the shelves just to stick to the ‘patch tuesday’ cycle.
The only downside is they deceided on releasing a patch after somewhat of a public uproar instead of auto-update distribute it sooner after the exploit was found.
navin says
not tht MS had an option….dunno how far this is true, but I read sumwhere tht the patch issued isn’t actually a cure for the remote code execution exploit but is rather simply a detection tool for the exploit so tht IE can identify bugged sites……MS is supposedly still working on a full blown solution