Microsoft is to release an emergency patch to fix a reported vulnerability in Internet Explorer.


The update is set to be issued following the discovery of Trojans that are capable of stealing passwords that are believed to be based in China. Hackers have apparently used SQL injections to create malicious links on legitimate websites.


Christopher Budd, security response communications lead for Microsoft, said in a blog posting: “We've just published our advance notification for an out-of-band security bulletin release. We plan to release the security update tomorrow, December 17, 2008 to address the vulnerability we've discussed in Microsoft Security Advisory 961051. Our target time, as always, is 10:00 a.m. Pacific Time.”


Graham Cluley, senior technology consultant at Sophos, said: “Concerns about the security bug escalated as it was discovered that it affected not only version 7 of Internet Explorer, but also IE 5.01 SP4, IE 6, IE 6 SP1 and IE 8 Beta 2. Attacks incorporating the exploit have also been seen on websites around the world, potentially putting Internet Explorer users at risk in the absence of a patch.


“Microsoft will have been working feverishly to put a patch together that can defend all the different versions of Internet Explorer, and testing that it works as expected. Within 24 hours the patch should be available for anyone to download, and fingers crossed computer users will be applying it without hesitation.”