Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday.
For those who didnât see the news on the weekend, criminals started using a new IE security hole to breach Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are.
The IE zero-day flaw first came to light after security firm FireEye detailed that the Council on Foreign Relations (CFR) had been hacked, and was hosting malicious content as early as December 21. This week, security researcher Eric Romang detailed that microturbine systems producer Capstone Turbine was also a victim since at least December 18.
Microsoft responded by issuing a security advisory, a rare occurrence for a Saturday, and then followed up on Monday with a temporary one-click âFix itâ tool. Running it will prevent the vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the userâs ability to browse the Web.
At the time, Microsoft said it had âobserved only a few attempts to exploit this issueâ but was still encouraging IE users to apply the temporary fix and would be providing a security update to address the issue in question. We noted that Microsoft was monitoring the Web to see if the exploit starts being used more broadly (beyond targeted attacks), and only then will the company likely rush out a patch.
Given that Microsoft is not planning to release it by Januaryâs Patch Tuesday, it looks like the company is confident itâs not being widely exploited. That could still change, at which point Microsoft will release the patch before or after next Tuesday. If nothing changes, however, Microsoft will release it as soon as itâs fully tested, which now looks like it wonât be until Februaryâs Patch Tuesday.
Again, this isnât is the best news for Windows XP users and earlier, since they cannot upgrade to more recent versions of Microsoftâs browser. If you canât upgrade to IE9/IE10, either apply the temporary âFix itâ solution or use a different browser such as Google Chrome.
Update at 5:30PM EST: The title previously said âsecond attackâ but has been updated to say âmultiple attacksâ after security firm Avast pinged us with more information. Jindrich Kubec, Director of Threat Intelligence at Avast, says there are currently four live sites exploiting the vulnerability and five dead sites that exploited it:
- Live: Hong Kong newspaper site, Russian science site, Chinese human rights site, and Uyghur human rights site.
- Dead: CFR, Capstone turbine, Russian science site, Taiwanese travel agency, and a completely unknown site (Avast says it has only seen one hit on it).
These sites were found in Avastâs CommunityIQ telemetry submits sent by its users.
Image credit: Steve Ekblad
Get the TNW newsletter
Get the most important tech news in your inbox each week.