Microsoft announces plans to release out-of-band patch to cover heavily publicised zero-day vulnerability

News by Dan Raywood

Microsoft is to release an out-of-band patch to cover the vulnerability in Internet Explorer that has caused headlines in the past week.

Microsoft is to release an out-of-band patch to cover the vulnerability in Internet Explorer that has caused headlines in the past week.

In a update on the Response Centre blog, George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Security, confirmed that an out-of-band patch will be released for security advisory 979352.

He claimed that given 'the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment', Microsoft was releasing the patch.

No further details have been given on when the patch will be released.

He said: "We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band is the right decision at this time. We will provide the specific timing of the release tomorrow."

McAfee's chief technology officer George Kurtz claimed that this was good news, but said that the bad news is that it had seen at least one unofficial patch for the vulnerability created by a third party.

He said: "Patching is of course a good idea, don't just apply any patch. These unofficial patches may seem like a good idea as they appear to provide immediate protection, but applying a patch from an unknown source for software that was created by someone else just isn't a good idea. It can create all kinds of compatibility and performance issues and may be a security risk of its own."

Richie Lai, director of vulnerability research for Qualys, said: "Internally we do not think of the IE zero-day that was released last week isn't something that is new or unique. Every couple of months a new exploit for a critical vulnerability is discovered in the browser space and all major browsers see their share. What is new is that the affected organizations are coming forward with information on the attacks - a positive trend that we encourage and hope will continue.

"As of now, the attacks are limited to a small target population and we have not seen widespread use of the exploit. We expect that to change in the coming days since details of the vulnerability have been made publicly available. Microsoft has released a Fix-It, which will turn on DEP for IE and help mitigate the attack. However there is active research going on to bypass the DEP measure and its effectiveness could be limited."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike