Microsoft has announced that it will release an out-of-band patch for the zero-day vulnerability in Internet Explorer today.
According to Trustworthy Computing group manager Dustin Childs, while Microsoft has seen a limited number of customers affected by this issue, it said that the potential exists for more customers to be affected.
“The bulletin has a severity rating of ‘critical', and it addresses CVE-2012-4792. Internet Explorer 9 and 10 are not affected by this issue and as always, we encourage customers to upgrade to the latest browser version,” he said.
“We recommend that you install this update as soon as it is available. This update for Internet Explorer 6 to 8 will be made available through Windows Update and our other standard distribution channels.”
As previously reported by SC Magazine, the vulnerability could allow remote code execution of three versions of the browser and Microsoft was aware of targeted attacks that attempt to exploit this vulnerability, although Internet Explorer 9 and Internet Explorer 10 were not affected.
To help solve the situation until now, Microsoft had released a workaround Fix It and encouraged users to use the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to help prevent exploitation of this vulnerability.
Ross Barrett, senior manager of security engineering at Rapid7, said: “If Microsoft's security team is correct, this vulnerability is still seeing only limited exploitation in the wild, but there is no reason to hold off only releasing a fix now that the patch is ready.
“It's always a race between security teams and malware writers, in this case given the attention this vulnerability has received it likely will not be long before exploitation becomes widespread. Getting a fix out under these circumstances is like immunising ahead of an outbreak that has already started.”