Over the weekend, the security firm FireEye reported that a zero day bug in many versions of Internet Explorer was already being exploited by attackers. Now Microsoft is taking the unusual move of announcing that the exploit will be fixed as part of its previously revealed plans to release a number of security bulletins today as part of "Patch Tuesday".
Normally, Microsoft does not offer specific information about the security bulletins it will release during "Patch Tuesday" ahead of time so as not to alert hackers. However, because the IE zero day bug is already being used in the wild, Microsoft posted a note on its Security Response Center blog on Monday stating that the exploit, which affects an Internet Explorer ActiveX Control, will be closed as part of the MS13-090 bulletin.
Microsoft also offered some advice for PC users who might be affected by the exploit before the patch is released later today, such as changing Internet and local intranet security zone settings to "High" to block any ActiveX Controls and Active Scripting. It also says that IE can be configured to either prompt or disable Active Scripting.
FireEye previously claimed the bug affects affects versions 7, 8, 9, and 10 of IE that are used with Windows XP and 7 and that it can be used to distribute malware that resides in PC memory. It also claims that the exploit has already infected a major website but did not name the specific URL.
Source: Microsoft | Image via Microsoft