Microsoft: No security patch on Tuesday for IE6, IE7, and IE8 vulnerability despite second attack

January 3, 2013

Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday.

For those who didn’t see the news on the weekend, criminals started using a new IE security hole to attack Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are.

The IE zero-day flaw first came to light after security firm FireEye detailed that the Council on Foreign Relations (CFR) had been hacked, and was hosting malicious content as early as December 21. This week, security researcher Eric Romang, detailed that microturbine systems producer Capstone Turbine was also a victim since at least December 18.

Microsoft responded by issuing a security advisory, a rare occurrence for a Saturday, and then followed up on Monday with a temporary one-click “Fix it” tool. Running it will prevent the vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the user’s ability to browse the Web.

At the time, Microsoft said it had “observed only a few attempts to exploit this issue” but was still encouraging IE users to apply the temporary fix and would be providing a security update to address the issue in question. We noted that Microsoft was monitoring the Web to see if the exploit starts being used more broadly (beyond targeted attacks), and only then will the company likely rush out a patch.

Given that Microsoft is not planning to release it by January’s Patch Tuesday, it looks like the company is confident it’s not being widely exploited. That could still change, at which point Microsoft will release the patch before or after next Tuesday. If nothing changes, however, Microsoft will release it as soon as it’s fully tested, which now looks like it won’t be until February’s Patch Tuesday.

Again, this isn’t is the best news for Windows XP users and earlier, since they cannot upgrade to more recent versions of Microsoft’s browser. If you can’t upgrade to IE9/IE10, either apply the temporary “Fix it” solution or use a different browser such as Google Chrome.

Image credit: Steve Ekblad

Article source: TNW


Comments are closed.

Like Box

- Facebook Members WordPress Plugin


  • 4 Hour Workweek Blog
  • All Things Digital
  • Beyond The Pedway
  • Business Hackers
  • Fast Company
  • Gigaom
  • Hacker News
  • Jonathan Fields
  • Mashable
  • Read Write Web
  • Seth Godin's Blog
  • Startup Nation
  • TechCrunch
  • The Next Web
  • Venture Beat