(LiveHacking.Com) – Microsoft has announced that it will release an out-of-band update to Internet Explorer to fix the recently found zero-day vulnerability that affects IE 6, 7, 8 and 9. The flaw was discovered by Eric Romang, a security researcher, who was monitoring some servers suspected of serving malware. On one of the server he found four files which upon analysis turned out to be a zero-day vulnerability exploit for Internet Explorer.
Microsoft subquently published Security Advisory 2757760 which confirms that the flaw exists in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9. Internet Explorer 10 is not affected. Then it published the “Prevent Memory Corruption via ExecCommand in Internet Explorer” Fix it solution, designed to be a easy-to-use, one-click, workaround for the vulnerability.
“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”
Now, Microsoft has released details of an out-of-band update to Internet Explorer to fully address the issue as well as four other Critical-class remote code execution issues. Microsoft will release the cumulative update for IE today at 10 a.m. PDT. The update applies to IE 6, 7, 8 and 9 on all supported versions of Windows (XP, Vista, 7, Windows server). It will be made available through Windows Update and it is recommended that you install it as soon as it is available. If you have automatic updates enabled you won’t need to take any action. Microsoft has previously reported that there are targeted attacks, that attempt to exploit this vulnerability, happening in the wild.