Microsoft has taken the unusual step of issuing a special update to protect against the current Internet Explorer vulnerability.
The update is not in the software giant’s regular patch schedule and Microsoft is recommending customers update immediately. The update will be automatically applied to those who have Automatic Updates turned on.
“Microsoft takes the decision to conduct an out-of-band update very seriously given the impact to customers, but we believe that it is the right decision to keep people protected,” the company said in a statement.
“Once the update is applied, customers will be protected against the known attacks that have been reported.”
The security flaw affects two earlier versions of the company’s popular Internet browser and other Microsoft programs that were allegedly used by hackers to attack Google in China and other corporate networks.
Applications including Outlook, Outlook Express and Windows Mail that use Microsoft’s HTML rendering can be potentially exploited if attackers can prevent Active Scripting and ActiveX controls from being used. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through a Web-based attack scenario.
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
Microsft has urged users to upgrade to Internet Explorer 8 and Service Pack 3 for those using Windows XP to help mitigate the threat and has issued a security advisory. Explorer 8 is not affected by currently known attacks.
The company was also keen to play down the threat to consumers, saying it had seen only a limited number of targeted attacks against a small subset of corporations and the attacks to date are only effective against Internet Explorer 6.
“We are not seeing any widespread attacks and thus far we are not seeing attacks focused on consumers,” the company said in a statement.
Microsoft uses the term out-of-band to describe software updates that are not in its regular schedule.
Security firm Symantec has confirmed a new exploit for the security hole which results in the download of a malicious file.
“The new exploit is being hosted on hundreds of Web sites and Symantec detects the malicious HTML pages as Trojan.Malscript!html,” said security intelligence manager with Symantec Security Response, Josh Talbot.
“The pages contain a shell code that bypasses a warning dialog shown after downloaded file gets executed. The page replaces the code of “MessageBeep API” so that the Internet Explorer process which attempts to play a beep sound will be terminated. After the termination of the process, it causes the Internet Explorer window to be displayed again. The shell code also contains code to avert API hooking when it calls APIs. By doing this, some security products may miss some monitored APIs.”