Microsoft To Fix Zero-Day IE Bug For Patch Tuesday Release


The upcoming Patch Tuesday release, which Microsoft will issue on Dec. 8, covers flaws in numerous versions of Microsoft Windows, including Windows 7 and IE 8, as well as Office, including Project, Word and Work 8.5. Specifically, the affected software includes Windows 2000, XP, Vista and Windows 7, as well as Server 2003 and 2008, Office XP, and Office 2003.

The Microsoft December patch covers three flaws with the highest severity ranking of 'critical,' indicating that the vulnerabilities can be exploited by remote attackers who launch malicious code.

Among the critical patches is a fix for a zero-day IE flaw, affecting IE 8 and other versions, which under certain conditions, allows hackers to launch specially crafted malware to remotely infiltrate and completely take over a user's computer in order to steal sensitive financial information and login credentials.

"We know that customers are concerned about this issue and we are also aware that proof of concept code is available publicly," Microsoft said in its advance notification bulletin Thursday.

Sponsored post

In a scenario where a Web-based attack exploits the IE flaw, a hacker would entice a victim to view a maliciously crafted Web page, typically, via a phishing attack or some kind of social engineering scheme contained in an e-mail. Attackers could also infect victims by infusing an existing legitimate Web site with malicious code that downloads malware onto a user's computer when they visit the compromised site.

Microsoft issued a security advisory Nov. 23, warning users about the IE bug, but maintained that thus far there were no known attacks in the wild exploiting the vulnerability.

Microsoft advised that users enable firewalls, apply all browser and OS updates and patches, and keep security products such as antivirus and antispyware up-to-date to reduce risk of attack.

In addition to the critical patches, Microsoft will also release three security bulletins labeled with the slightly less severe ranking of "important," for errors in multiple versions of Windows and Office that could lead to remote code execution or denial of service attacks.