Microsoft is to release an emergency patch for Internet Explorer this evening.
Jerry Bryant, senior security communications manager at Microsoft, said that it will be releasing security update MS10-018 to resolve Security Advisory 981374, addressing a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. He confirmed that Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory.
He said: “We recommend that customers install the update as soon as it is available. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. For customers using automatic updates, this update will automatically be applied once it is released.”
Jason Miller, data and security team leader at Shavlik Technologies, claimed that the bulletin was due to be released on April Patch Tuesday – due on 13th April.
He said: “The patch is a cumulative update that fixes multiple vulnerabilities. Some of the vulnerabilities fixed in this bulletin do affect Internet Explorer 8. Administrators should be sure to patch all versions of Internet Explorer as soon as the bulletin is released.
“It is not uncommon lately for Microsoft to release out-of-band as Microsoft monitors the situation through customer reports and exploit activity. If they notice, as in this case, the threat is growing, they will release out-of-band to address the vulnerability.”
Wolfgang Kandek, CTO at Qualys, claimed that the patch being released out-of-band ‘is an indication that attacks against the iepeers vulnerability are on the rise'.
He said: “If you are still using IE6 or IE7, patch immediately. But even if you are on IE8 you should patch as quickly as possible, as attackers will start reverse engineering the flaws addressed and preparing corresponding exploits within the week. Kudos to Microsoft for their quick turnaround on this vulnerability.”
Apple has also announced a security update that will cover vulnerabilities in Mac OS X Server 10.5 and 10.6, and in Mac OS X 10.5 and 10.6.
Andrew Storms, director of security operations for nCircle, said: “A number of the bugs Apple patched today could also affect OS X 10.5, but we have no updates for 10.5 today. If OS X 10.5 is affected, users still on it could be vulnerable. Now that the patches are out, hackers can target these vulnerabilities.
“This could also be a signal that Apple is moving toward end-of-life for 10.5, so users might want to start considering an update to OS X.”