As Attacks Escalate, MS Readies Emergency IE Patch
Ryan Naraine writes on the ZDNet "Zero Day" Blog:
Microsoft is planning to ship an emergency Internet Explorer update tomorrow (December 17) to counter an escalating wave of malware attacks targeting a zero-day browser vulnerability.More here.
The out-of-band update, which will be rated critical, follows the public discovery of password-stealing Trojans exploiting the bug on Chinese-language Web sites. Over the past week, the attacks have expanded with hackers using SQL injection techniques to seed exploits on legitimate Web sites.
This will be the second out-of-band update from the MSRC (Microsoft Security Response Center) in the last two months. Back in October, the company shipped MS08-067 to plug an extremely critical worm hole that affected Windows 2000, Windows XP and Windows Server 2003.
The IE patch will be available for all supported versions of the browser. According to this pre-patch advisory from Microsoft, the in-the-wild attacks have targeted IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008.