Microsoft has this morning released an emergency out-of-band patch to fix a widely publicized zero-day vulnerability in Internet Explorer. Security experts are advising users and enterprises to install the latest IE patch immediately.
The number of infected Web sites, many of them legitimate, has grown at "an alarming" rate since the vulnerability was released into the wild and people need to do nothing but visit an infected site with a vulnerable browser to be affected. Eric Schultze, CTO of Shavlik Technologies, says in a written statement:
"Why did this come out as an out-of-band release? It looks like Microsoft was informed of the IE zero day at the same time as everyone else – namely, last Tuesday (Patch Tuesday). Based on Microsoft MSRC blog posts, starting on Tuesday, Microsoft studied the exploit and reviewed source code and determined that it impacted all versions of IE. "
By Friday, Microsoft was aware users were becoming infected at a rate even faster than previous zero-day exploits. Originally porn sites seemed to be the carriers, but the number of legit sites causing infections was skyrocketing. Hackers were planting the exploit using well-known SQL injection techniques. Poor SQL coding practices leave Web sites vulnerable to become hosts to malware -- and not just this vulnerability but any others that can be executed via an SQL injection.
Schultze says that the Microsoft security team is to be commended for the speed at which they responded to this threat.
"Researching, fixing, testing, and releasing a security patch within an eight day window is an incredible feat – especially given the need to support all versions of IE across all platforms and languages. This is an ‘all hands on deck’ response from Microsoft – I don’t think we’ll see this as the norm for less critical patches in the future as it is quite disruptive to their own processes."
The patch is out, as is a giant set of patches via Microsoft's December Patch Tuesday. It is users' turn to protect themselves by installing this emergency patch and all all the others, and fast.
Visit the Microsoft Subnet web site for more news, blogs, podcasts. Also see:9 myths of Microsoft's virtualization busted or confirmedWorkarounds for the zero-day IE hole Windows Live Essentials beta released, why businesses should care8 little-known technologies that instantly make Microsoft shops run smoother17 job-hunting resources for Windows pros Subscribe to all Microsoft Subnet bloggers.bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)Sign up for the