Microsoft Corp. said today it plans to break from its regularly scheduled monthly software update cycle to issue a patch on Tuesday for a security hole in its Internet Explorer Web browser that hackers have been exploiting lately.
Microsoft normally releases security updates on “Patch Tuesday,” the second Tuesday of each month. But this Tuesday, Mar. 30, Microsoft will release a cumulative update for Internet Explorer that fixes a critical software flaw in IE 6 and IE 7. The browser flaw lets hackers break into vulnerable systems remotely, with little help from users.
Redmond initially said it was aware of only “targeted” attacks that leveraged this vulnerability. But Microsoft’s statement that accompanied this announcement suggests that these attacks may have become more widespread.
“We have been monitoring this issue and have determined an out-of-band release is needed to protect customers,” Microsoft said in a statement on its Security Response Center blog today.
Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday (April 13).
Hopefully this will take care of the IE heap overflow exploit that came to light at Pwn2Own just a few days ago!
I wonder if they could fix it that fast?
Of course if you don’t use java, that may not be a concern, as I believe java code was involved in that one.
I think they’re primarily correcting the IEPeers vulnerability: http://praetorianprefect.com/archives/2010/03/iepeers-a-new-internet-explorer-zero-day-vulnerability/
With that said, its not clear whether this was the plan from the moment that defect became well known or whether some triggering event occurred more recently. I know a/o Friday one group had worked out a more stable exploitation of the problem.
I suppose I’m jumping the gun as the new vulnerability exposed at Pwn2Own was for IE 8, but one can always hope!
The optimist says that it’s great Microsoft is being proactive about this one.
The pessimist realizes that most systems won’t be updated anyways 🙁
One can’t help thinking Microsoft is responding a little more quickly than it would normally to be seen to keep pace with Mozilla in reacting to security issues; let’s hope it won’t create a forced error for them.
Optimist: Issued out-of-band-patch
Pessimist: Took them 19 days
Getting out-of-band patches more often is critical to keeping their ecosystem safe. In fact, they should lose the whole out-of-band concept.
If you can develop (and test) a countermeasure, why wait one second longer than necessary to get it out just to keep a regular routine?
The regularly scheduled fixes are for the IT drones. With a schedule, they can mark their calendars with events like “test MS fixes in test systems” and later, “roll out MS changes to production machines”. Then they can schedule all the other work they need to do.
If changes come fast and furious, they are stuck with the dilemma of either 1) dropping everything when a fix comes through, at the expense of everything else, or 2) maintaining the schedule of installing fixes.
Do the former, and management will scream that no useful work is getting done. Do the latter, and all is well until an incident occurs – an incident that could have been prevented by the upgrade you had yet to install. You may or may not have a job after that.
I’ve read some posts saying this emergency update will fix nine vulnerabilities, including one that has been exploited in attacks on IE6 and IE7 systems. There are various commercial “exploit modules” out that uses this “IEPeers” vulnerability.
Dan — This story says that, too. Last paragraph.
“Tomorrow’s update will correct that flaw, as well as at least nine other security holes in IE that Microsoft had planned to patch on the next official Patch Tuesday (April 13).”
Hi Brian,
As always you have the most comprehensive update available and quicker than others. My apologies for missing that last paragraph. I must have been reading too many news feeds at the same time and overlooked it. 🙂
Thanks for the correction.
Please post whether there have been any problems with these updates. Thank you.
So far none on mine. I use Vista x64 and IE 8; there was only one update needed for it!
I guess because there aren’t as many holes in that version of the platform.
No problems so far!
the best thing about IE8 is that it is quite stable than previous releases of Internet Explorer-”
@Plastic Pond;
I guess everyone’s mileage varies. Mine goes back and forth between every other Microsoft update. For now, the performance is great! But before the last patch Tuesday I had crashes and even worse, it just locks up the computer so I have to force a shut down!
It has been doing this every other update for two years.