Microsoft has this morning released an emergency out-of-band patch to fix a widely publicized zero-day vulnerability in Internet Explorer. Security experts are advising users and enterprises to install the latest IE patch immediately.
The number of infected Web sites, many of them legitimate, has grown at "an alarming" rate since the vulnerability was released into the wild and people need to do nothing but visit an infected site with a vulnerable browser to be affected. Eric Schultze, CTO of Shavlik Technologies, says in a written statement:
"Why did this come out as an out-of-band release? It looks like Microsoft was informed of the IE zero day at the same time as everyone else – namely, last Tuesday (Patch Tuesday). Based on Microsoft MSRC blog posts, starting on Tuesday, Microsoft studied the exploit and reviewed source code and determined that it impacted all versions of IE. "
By Friday, Microsoft was aware users were becoming infected at a rate even faster than previous zero-day exploits. Originally porn sites seemed to be the carriers, but the number of legit sites causing infections was skyrocketing. Hackers were planting the exploit using well-known SQL injection techniques. Poor SQL coding practices leave Web sites vulnerable to become hosts to malware -- and not just this vulnerability but any others that can be executed via an SQL injection.
Schultze says that the Microsoft security team is to be commended for the speed at which they responded to this threat.
"Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat – especially given the need to support all versions of IE across all platforms and languages. This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes."
The patch is out, as is a giant set of patches via Microsoft's December Patch Tuesday. It is users' turn to protect themselves by installing this emergency patch and all all the others, and fast.
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Also see:
9 myths of Microsoft's virtualization busted or confirmed
Workarounds for the zero-day IE hole
Windows Live Essentials beta released, why businesses should care
8 little-known technologies that instantly make Microsoft shops run smoother
17 job-hunting resources for Windows pros
Subscribe to all Microsoft Subnet bloggers.
Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Julie Bort is the editor of Microsoft Subnet and Network World's Online Community Editor. She also writes the Open Source Subnet blog and is the editor responsible for the Cisco Subnet and Open Source Subnet web sites. If you have an idea for a blog, or a news tip on Microsoft, Cisco or Open Source technologies, contact her at firstname.lastname@example.org, 970-482-6454 or follow Julie on Twitter @Julie188.
The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited