[Infowarrior] - MS Issuing Out-of-Band Patch to Fix IE Hole

[Richard Forno]

  Microsoft to Issue Out-of-Band Patch to Fix IE Hole
01.19.10

by Mark Hachman

http://www.pcmag.com/article2/0,2817,2358210,00.asp

Microsoft will release an out-of-band patch to resolve the "Aurora"  
vulnerability that has struck Internet Explorer, the company said on  
Tuesday.
Microsoft said that patch would be released Wednesday, but didn't  
disclose a time in which it would be made available.

The company said that, so far, "very limited, and in some cases,  
targeted attacks" have been made against Internet Explorer 6.  
Microsoft had previously concluded Internet Explorer 6 running on  
Windows XP and possibly Windows 2000 was vulnerable, although later  
the same exploit was found to also affect IE7 on Windows XP and Vista.

The Aurora vulnerability was the vector unknown attackers used to  
strike Google and a number of other Internet companies; those attacks  
were originally blamed on a hole in Adobe's products, but were later  
tied to IE. Reuters later that the attacks may have been assisted by  
Google employees.

The widespread confusion on the issue prompted the out-of-band patch,  
George Stathakopoulos, general manager of Trustworthy Computing  
Security, wrote in a blog post on Tuesday.

"Given the significant level of attention this issue has generated,  
confusion about what customers can do to protect themselves and the  
escalating threat environment Microsoft will release a security update  
out-of-band for this vulnerability," Stathakopoulos wrote.

"We take the decision to go out-of-band very seriously given the  
impact to customers, but we believe releasing an update out-of-band  
update is the right decision at this time," Stathakopoulos added.

Naturally, Microsoft continues to recommend users update their browser  
to Internet Explorer 8, a practice that some businesses may have not  
taken because of their dependence on older Web applications.