As we mentioned last week, Microsoft confirmed an unpatched bug in Internet Explorer that hackers are exploiting. Now, the company is issuing an emergency security patch for all versions of Internet Explorer. In an advance notification of the patch, Microsoft describes it as protection against a "remote code execution" vulnerability. Microsoft posted a security advisory last Wednesday and offered a few mitigations and workarounds for protection.
This flaw makes it possible for attackers to steal personal data such as passwords if a user visits a compromised website. On Saturday, Microsoft warned that 1 in 500 Internet Explorer users worldwide may have been exposed to malware hosted at both legitimate websites and porn sites. It appears the vulnerability has primarily been used to steal gaming passwords for black market sales, but there’s no guarantee that the hole hasn’t, or won’t, be used for other purposes as well. As a result, some security analysts have gone so far as to suggest that people switch browsers to protect themselves from the flaw. Furthermore, in a blog post, Graham Cluley, senior technology consultant at Sophos, said his company is seeing about 20,000 newly infected web pages each day. The majority of those are legitimate sites that have been compromised a SQL injection attack.
According to a blog post from Microsoft Security Response Center researchers Ziv Mador and Tareq Saade, the number of users who have been affected is rising quickly: "Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability. That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: We saw an increase of over 50% in the number of reports today compared to yesterday."
Microsoft says it is aware only of attacks affecting Internet Explorer 7 under certain systems. However, all users of IE5, 6, and 7 are encouraged to install the fix. A separate patch for users of IE8 Beta 2 is expected to be made available as well. The patch should be available today at 1 p.m. EST at the Microsoft Update site as well as at the Microsoft Download Center.