Microsoft releases out-of-cycle patch for Internet Explorer
Patch Tuesday came and went last week without Microsoft addressing a glaring error -- a zero-day flaw in Internet Explorer versions 6 through 8 that attackers use to gain control of a computer. The defect did not affect IE versions 9 and 10, which have been called more secure by some experts.
Now the company is rolling out an uncharacteristic out-of-cycle patch to fix the bug. This follows a manual fix the company released earlier to help users of these legacy browsers protect themselves from attack.
According to a security bulletin released by Microsoft, "The vulnerability is a remote code execution vulnerability that exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website".
The patch was pushed out at 10 am PT today and will supposedly fully fix the security hole in all versions of Internet Explorer. It is statused as a "critical update", which means it will be applied automatically. So far, Microsoft claims that only a limited number of customers have been effected by this bug, perhaps due to the adoption rate of the newer versions of the web browser.