Microsoft issues emergency patch

Microsoft (NSDQ: MSFT) is planning to release an out-of-band patch for Internet Explorer on Wednesday to address a critical security vulnerability that's being actively exploited. Microsoft Security Response Center researchers Ziv Mador and Tareq Saade said in a blog post, "Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed to websites containing exploits of this latest vulnerability." While that percentage may seem very small, it means that 1 out of every 500 IE users has the potential for being infected. According to reports, the exploit seems to have been sourced on sites hosted in Taiwan and Hong Kong.

This is the second time in 2008 that Microsoft has released an "out of band" patch, with the last coming just 3 months ago (it was the subject of my Oct 23, 2008 blog: Urgent Security Patch from Microsoft).

This issue first came to light on Dec 9, 2008, when Microsoft issued a very limited Security Advisory. At the time, the company indicated that they were "ware only of limited attacks that attempt to use this vulnerability." Since then, however, the alert has been updated at least four times, expanding the list of affected software to include several versions of IE... including IE7, IE6, IE6 SP1, IE5.01 SP4 and IE 8 beta 2. Virtually all of the versions of Windows installed by most users are affected... XP SP1 and SP2, Sevrver 2K3 SP1 and SP2, Vista with and without SP1, and Server 2K8.

At some point over the next couple of days, PCs that are set for automatic updates will get the patch and likely be rebooted. If your firm has not recently reviewed your strategy for managing Operating System updates, please contact me. It is well worth a small investment to have a good handle on these kinds of events.