Microsoft preps emergency IE patch for Wednesday release

Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week.

The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.

Microsoft will deliver the out-of-cycle patch Wednesday at 1 p.m. Eastern time via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services (WSUS).

The update will be pegged "critical," the most serious ranking in Microsoft's four-step scoring system. Microsoft will provide patches to users of Windows 2000, XP, Vista, Server 2003 and Server 2008 for IE5.01, IE6 and IE7. A separate patch will apparently be issued tomorrow for IE8 Beta 2, a preview version of Microsoft's next browser that is not officially on the support list.

Report a problem with article
Previous Story

Microsoft takes concrete steps to foster interoperability

Next Story

Metal Gear Solid Touch confirmed

30 Comments

Commenting is disabled on this article.

I've just notice that I can not use my online bank service after the installation of this update. I'd like to know if it's only me or it's a major problem caused by the patch. BTW I'm free of spyware, troyans and so on.

Thx and Cheers

Just checked windows update on wifes computer with IE6/SP3. No updates available?
Link above posted by PeterUK has it for IE6.

What's up with that?

PeterUK said,
They want you to move to IE7 :shifty:


Installed it from the link you posted. Asked for me to restart. Did it. Don't notice a thing.

No problems at my bank site as I see the post below is inquiring about.

Thx for your reply "cork1958"... Apparently my bank was having some problems (Other kind, not related with the update I was talking about) but right now I'm able to use their service again.

Cheers

FrozenEclipse said,
I have IE8 RC1, but the update still showed up in WU as for IE7. Does that make any difference?

I got two updates, one for IE7, and another for IE8 beta 2.

Congrats to Microsoft; I hope this paves the way for rapid-response updates. Having a predictable update schedule is just another vulnerability in and of itself.

yeah it makes sense to receive one for beta 2 but not RC1 since the "partner build" info said you would have to manually update to the public RC/final, so I presume you'd have to manually apply the patch. The question is - is there a patch for the RC1? Any legit testers know?

Edit:

Updated IE8 Partner Build: version 8.0.6001.18344. This build contains the fix to MSRC MS08-078.

We got hit by a worm 10 days ago. I wondered how it got onto the network! Thanks for nothing Microsoft, for keeping this quiet.

csrsc.exe the executable adding a service "Windows Spooler" (an old piece of "virus code") that looks for credit card details. It makes the box unstable, Antivirus software tricked into not reporting the program, when memory resident. Obviously any malware can be used once the vulnerability has been exploited.

Why do sites like this only give the vaguest of details. The baddies know what is going on, us good guys are left in the dark. Main Stream Media has been bought and paid for, sites like this should do better.

My brother just got a flood of viruses on his PC from security holes in an out of date Java run-time - it could be that, or maybe Flash or Quicktime - they've have had several exploitable holes and Chrome has had some big ones too. These are just some possibilities...it's hard to say, really.

Of course, if you're running Vista 64-bit with UAC and DEP enabled none of those exploits work...

JonathanMarston said,
My brother just got a flood of viruses on his PC from security holes in an out of date Java run-time - it could be that, or maybe Flash or Quicktime - they've have had several exploitable holes and Chrome has had some big ones too. These are just some possibilities...it's hard to say, really.

Of course, if you're running Vista 64-bit with UAC and DEP enabled none of those exploits work...

The flaw was reported about a week ago, how could they have warned you about it 10+ days ago? And according to Symantec (source) you could have gotten that from their products' vulnerabilities as well! Don't operate a "network" if you don't know how to maintain it and keep it secure.

But the Fox Cultists told me Firefox has no security holes! Did they lie to me?
If mozilla releazed the fixes for MANY holes... does that mean that some of that holes were exposed for a prolonged time interval?

RealFduch said,
But the Fox Cultists told me Firefox has no security holes! Did they lie to me?
If mozilla releazed the fixes for MANY holes... does that mean that some of that holes were exposed for a prolonged time interval?

You have to realize that a lot of software has holes in it that people are unaware of. No software is 100% hole free. Why there are always update and patches for all software. So i am betting there are some undiscovered issues with windows, osx, FF, IE....you name it

Yeah, baby!!

MS rulez!!
NOT!!

I will DEFINITELY wait a bit before installing it anyway. With MS cranking out a patch this fast, it almost HAS to screw something else up. Could not possibly have tested it very well.

cork1958 said,
Yeah, baby!!

MS rulez!!
NOT!!

I will DEFINITELY wait a bit before installing it anyway. With MS cranking out a patch this fast, it almost HAS to screw something else up. Could not possibly have tested it very well.


A patch delivered through Windows update usually goes through a good amount of testing. If its just a patch on the microsoft download site, then it may or may not have gone through sufficient testing.

was on the news this morning. I wish the media would stop hyping this and spreading fud. It would be better to disclose the microsoft advisory and tell people what the workaround is rather than panic. Anyone see the I.T. crowd when April broke the internet after being hit by Douglas ? well this is similar mass hysteria to that.

andy2004 said,
was on the news this morning. I wish the media would stop hyping this and spreading fud. It would be better to disclose the microsoft advisory and tell people what the workaround is rather than panic. Anyone see the I.T. crowd when April broke the internet after being hit by Douglas ? well this is similar mass hysteria to that.

I dont worry about patches unless its a Service Pack. Individual updates/fixes always work fine...at least they do for me.

If you're an average user, and you visited Neowin for the first time this week, it must of been very confusing to read of the IE exploit with suggestions to migrate to Firefox ASAP, and then to see Firefox named most vulnerable Windows application.

Vezineth said,
Thats what went through my head earlier. Humorously ironic though.

Firefox being most vulnerable windows application was a 'report' but the IE exploit was a 'bug' in IE browser. That said, it never meant IE is most vulnerable or a bad browser. And Microsoft has already prepared a patch for the IE exploit.

Chaks said,
Firefox being most vulnerable windows application was a 'report' but the IE exploit was a 'bug' in IE browser. That said, it never meant IE is most vulnerable or a bad browser. And Microsoft has already prepared a patch for the IE exploit.

Don't worry, they will put IE in the list when it applies the patch... I guess it will fill the required number of applied patches for the list.

I would think probably, since many other programs rely on the affected file. I would certainly install it just to be safe.

You can probably wait for your next scheduled maintenance.

But you never when your system administrator decides to visit chinese pron sites after office hours.