Microsoft to fix IE hole today

 

Gallery

By Barry Collins

Posted on 21 Jan 2010 at 09:57

Microsoft will release a fix for the now notorious security hole in Internet Explorer later today.

The patch will be released at around 6pm UK time, following Microsoft's decision earlier this week to plug the hole before the next Patch Tuesday update on 9 February.

The flaw was blamed for the Chinese attacks on Google, Adobe and other large companies. Microsoft insists the aged Internet Explorer 6 is the only browser that's been exploited so far, although it admits the flaw is also present in IE7 and 8.

Based on our in-the-field detections, this security vulnerability has only been used in a very limited number of targeted attacks so far, however they appear to be very high profile attacks

Security firms agree that the threat is limited. "Based on our in-the-field detections, this security vulnerability has only been used in a very limited number of targeted attacks so far, however they appear to be very high profile attacks,” claims Joshua Talbot, security intelligence manager at Symantec.

"The most likely attack vector used in the incidents seen thus far is targeted emails containing legitimate looking attachments or links to websites sent to high-level employees. When the attachment is opened, an exploit for the vulnerability springs into action and the computer becomes infected."

Microsoft itself has released further details of the flaw on its Security Response Center blog. It claims that Windows Vista and 7 are "more effective" at blocking the remote data execution than Windows XP, and once again claims that the increased security of Internet Explorer 8 offers better protection against the exploit than its predecessors.

The company is also advising Microsoft Office users to disable ActiveX controls to prevent Word, Excel or other apps being used to run a malicious file.