Microsoft Breaks Patch Cycle to Issue IE Patch

The New Acunetix V12 Engine


Well it has happened before, quite recently in fact – back in October Microsoft rushed out a patch for the RPC exploit, which was the first time in 18 months they had issued an out of band patch.

Now just a couple of months later they are releasing another one (which should be available today – Wednesday December 17th 2008) for the recent remote code execution vulnerability in almost all versions of IE.

It’s the right thing to do though and in terms of PR they had to do it as the mainstream news had gotten hold of this story and they weren’t going to let go.

Microsoft will push out an emergency security patch for Internet Explorer on Wednesday, addressing a critical security hole currently being exploited in the wild.

Redmond issued advanced notice for tomorrow’s fix, describing the out-of-cycle patch as protection from “remote code execution.”

Unscheduled updates are pretty rare for Microsoft, stressing the potentially serious nature of the flaw. Although the last time Microsoft broke it’s update cycle was in late October – it was the first time it had done so in about 18 months.

I guess they caved in after the media pressure and the panic starting amongst consumers as the exploit was actually being used in the wild (even though mostly from China sites) it’s still a risk.

It seems like if a vulnerability allows for remote code execution they will issue an adhoc patch to address the issue.

The latest zero-day vulnerability stems from data binding bugs that allows hackers access to a computer’s memory space, allowing attackers to remotely execute malicious code as IE crashes, Microsoft has said.

Although the exploit was at first contained to warez and porn sites hosted on a variety of Chinese domains, the malicious JavaScript code has since spread to more trusted sites though SQL injection. The flaw is primarily being used to steal video game passwords at present, but could potentially be used to retrieve more critical sensitive data from users as well.

The vulnerability is specifically targeted at surfers running IE 7, but it’s also known to affect versions 5, 6, and 8 of the browser as well. All IE users are advised to install the update.

The patch will become available Wednesday at 1 PM EST from auto-update and the Microsoft Download Center. A separate patch will be made available for those running IE8 Beta 2.

Source: The Register

Posted in: Exploits/Vulnerabilities, Windows Hacking


Latest Posts:


Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.
HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.


2 Responses to Microsoft Breaks Patch Cycle to Issue IE Patch

  1. Pantagruel December 17, 2008 at 9:48 am #

    Regarding the exploits nature (remote code execution) it’s a good thing MS deceided to issue this out of band fix. There is little pr value in keeping it on the shelves just to stick to the ‘patch tuesday’ cycle.
    The only downside is they deceided on releasing a patch after somewhat of a public uproar instead of auto-update distribute it sooner after the exploit was found.

  2. navin December 17, 2008 at 12:41 pm #

    not tht MS had an option….dunno how far this is true, but I read sumwhere tht the patch issued isn’t actually a cure for the remote code execution exploit but is rather simply a detection tool for the exploit so tht IE can identify bugged sites……MS is supposedly still working on a full blown solution