Microsoft pushes emergency patch for Internet Explorer

 

Gallery

Posted on 17 Dec 2008 at 08:35

Microsoft will break its traditional patch cycle to push out a fix for the Internet Explorer exploit.

The vulnerability stems from a memory corruption error in the handling of DHTML data bindings, and allows hackers to remotely execute code when the browser crashes. Hackers have been exploiting the vulnerability for over a week, with attacks initially coming from a number of Chinese-hosted porn sites.

That changed this weekend when Microsoft reported a "huge increase" in the number of attacks, as hackers began using SQL injection to corrupt legitimate sites. Trend Micro believes over 10,000 sites have been compromised to take advantage of the exploit, and has warned that the figure is "quickly increasing in number."

Evidence suggests the exploit is being mainly used to steal videogame passwords, though experts have warned it could be used to steal other personal information.

The vulnerability is specifically targeted at Internet Explorer 7, undoubtedly due to its huge user base. However, it's known to affect all versions.

The severity of the issue is evident in Microsoft's decision to break its own monthly patch schedule. It is only the second time in 18 months the company has felt the need to do so.

The patch will be rolled out through automatic updates and the Microsoft Download Center later today.

Author: Stuart Turton