Microsoft confirms Internet Explorer vulnerability will be patched out of band

Microsoft has issued a statement confirming that it plans to release a patch for a security vulnerability in Internet Explorer which saw Google fall victim to some targeted and sophisticated attacks recently.

George Stathakopoulos, Microsoft Security, confirmed the news in a company blog posting. "Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability" said Stathakopoulos. He also added that Microsoft will share specific timing of the release tomorrow.

The vulnerability was unveiled when Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property. Due to the attack, and the background behind it, Google announced it will no longer be providing censored results for its Chinese Google search engine. Currently Google offers censored search results as part of an agreement with the Chinese government.

Microsoft has been busy working on a fix for the issues and has decided an out of band patch is required. Whilst it's a rare decision these days, Microsoft could ill afford to wait three weeks until the next "patch Tuesday" on February 9. Stathakopoulos added: "we believe releasing an update out-of-band update is the right decision at this time."

Since the news of the un-patched flaw broke, Microsoft has been on damage limitation. This week Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. Currently the flaw exists in Internet Explorer versions 6, 7 and 8 but exploit code is only available for Internet Explorer 6. The patch, when released, will protect all affected versions of Internet Explorer.

Report a problem with article
Previous Story

New Windows Live Wave 4 screenshots emerge

Next Story

Apple releases Boot Camp 3.1, includes Windows 7 support

29 Comments

Commenting is disabled on this article.

McDave said,
Thinking back... why are google using IE6 instead of their own browser Chrome?

I thought the same thing myself. I was actually surprised when noone brought that issue up.

Sean Bradford said,

I thought the same thing myself. I was actually surprised when noone brought that issue up.

Oh I think it's simple, the truth is, they probably don't really use it as much as you first think hearing this news. But hey, you know, since they found/knew about, this old bug in IE, and yeah they have their own browser now, so why not use that as an excuse for whatever breach in their flaiky security happened and get more people to think about dropping IE.

Look at all the other stories posted about different governments telling people not to use IE till it's fixed etc. It's a clever marketing ploy to spin what I think was googles crappy security that got haX0rd etc.

Of course every company does this, that's why you pay big $$$ for PR devisions etc.

JJ_ said,
off topic but title should read "patched out of cycle"

out of band was the term used within the article. makes sense to use it in the title.

I agree Redz0ne, it would be nice to see normal software updates appear in windows update like my ATI, NVIDIA and monitor drivers :)

nifke said,
I agree Redz0ne, it would be nice to see normal software updates appear in windows update like my ATI, NVIDIA and monitor drivers :)

what are you talking about?
When I reinstalled my windows 7 yesterday. Why? Because I just migrated to an SSD. Anyway, windows update found signed drivers for my samsung sycmaster lcd, my razer boomslang CE, my nVidia graphics card AND my HP all-in-one Printer.
So I installed them.

Redz0ne's comment is one of user choice. Users he supports obviously choose not to keep their system up to date. Or if they do, fail to leave their PCs on at 03:00.

I agree with Redz0ne's comment that each vendor having their own application updater is quite annoying.

If you think Windows Update could be better, you're right. Instead of wishing, sign up for Microsoft Update CTP Program on the microsoft connect site to have your opinions on this matter heard.

nifke said,
I agree Redz0ne, it would be nice to see normal software updates appear in windows update like my ATI, NVIDIA and monitor drivers :)

I read nifke comment as saying it would be good if all vendors applications were updated like drivers and windows updates.

I do think Windows Update could be better but cant see Apple, Google, Sun and all the other companies currently using their own update software letting MS distribute all updates.

Firefox seems to do a good job of updating itself with little fuss to users.

nifke said,
I agree Redz0ne, it would be nice to see normal software updates appear in windows update like my ATI, NVIDIA and monitor drivers :)

It's called *windows* updates.
Seesh, you people are like those who want Firefox, Safari, and Chrome shipped with windows.

Edited by cybertimber2008, Jan 19 2010, 11:56pm :

I agree. On top of all, it is so easy to set up a WSUS server which basically will mirror Windows Update inhouse. And network admins can push some other software updates through MSI packages and Active Directory GPOs. Basically, these non updated systems issues seem to be about bad management to me. :(

The issue is with MS Update and not the out of date Internet Explorer. The amount of home users PC's I have looked at with updates that have never been downloaded let alone installed but with every software company having their own annoying update application you cant blame most users for ignoring the messages to update software.

If every software company used the same update system I think we would see less of this.

Redz0ne said,
The issue is with MS Update and not the out of date Internet Explorer. The amount of home users PC's I have looked at with updates that have never been downloaded let alone installed but with every software company having their own annoying update application you cant blame most users for ignoring the messages to update software.

If every software company used the same update system I think we would see less of this.

I too have seen this. I'd like to know how Windows Update gets turned off to begin with...

willdev said,
What does "out of band" mean?

I guess that they release only fixes/updates on scheduled dates and now they will release a fix/update earlier (out of band).

Blasius said,

Patches that are released outside of the normal patch schedule.


Huh, your comment came up before mine even though I posted mine before you :P