Microsoft: No security patch on Tuesday for IE6, IE7, and IE8 vulnerability despite multiple attacks

Microsoft: No security patch on Tuesday for IE6, IE7, and IE8 vulnerability despite multiple attacks

Right on schedule, Microsoft on Thursday announced its usual advance notification for the upcoming Patch Tuesday. While the company is planning to release seven bulletins (two Critical and five Important) which address 12 vulnerabilities, there is one that is notably missing: a bulletin for the new IE vulnerability discovered on Saturday.

For those who didn’t see the news on the weekend, criminals started using a new IE security hole to breach Windows computers in targeted attacks. While IE9 and IE10 are not affected, versions IE6, IE7, and IE8 are.

The IE zero-day flaw first came to light after security firm FireEye detailed that the Council on Foreign Relations (CFR) had been hacked, and was hosting malicious content as early as December 21. This week, security researcher Eric Romang detailed that microturbine systems producer Capstone Turbine was also a victim since at least December 18.

Microsoft responded by issuing a security advisory, a rare occurrence for a Saturday, and then followed up on Monday with a temporary one-click “Fix it” tool. Running it will prevent the vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the user’s ability to browse the Web.

At the time, Microsoft said it had “observed only a few attempts to exploit this issue” but was still encouraging IE users to apply the temporary fix and would be providing a security update to address the issue in question. We noted that Microsoft was monitoring the Web to see if the exploit starts being used more broadly (beyond targeted attacks), and only then will the company likely rush out a patch.

Given that Microsoft is not planning to release it by January’s Patch Tuesday, it looks like the company is confident it’s not being widely exploited. That could still change, at which point Microsoft will release the patch before or after next Tuesday. If nothing changes, however, Microsoft will release it as soon as it’s fully tested, which now looks like it won’t be until February’s Patch Tuesday.

Again, this isn’t is the best news for Windows XP users and earlier, since they cannot upgrade to more recent versions of Microsoft’s browser. If you can’t upgrade to IE9/IE10, either apply the temporary “Fix it” solution or use a different browser such as Google Chrome.

Update at 5:30PM EST: The title previously said “second attack” but has been updated to say “multiple attacks” after security firm Avast pinged us with more information. Jindrich Kubec, Director of Threat Intelligence at Avast, says there are currently four live sites exploiting the vulnerability and five dead sites that exploited it:

  • Live: Hong Kong newspaper site, Russian science site, Chinese human rights site, and Uyghur human rights site.
  • Dead: CFR, Capstone turbine, Russian science site, Taiwanese travel agency, and a completely unknown site (Avast says it has only seen one hit on it).

These sites were found in Avast’s CommunityIQ telemetry submits sent by its users.

Image credit: Steve Ekblad

Read next: GoPollGo takes its polling solution mobile by releasing an iOS application