Microsoft will be releasing an out-of band patch later today to fix a critical zero-day flaw affecting Internet Explorer versions 6,7 and 8. The vulnerability allows hackers to execute code remotely in the event that a user visits an infected website.
Word of the exploit first surfaced publically on December 29 as Microsoft Security Advisory #2794220. According to the software giant, the vulnerability exists in the way that Internet Explorer access an object in memory that has been deleted or has not been properly allocated. It may corrupt memory in a way that would allow an attacker to execute code without user warning or intervention.
Microsoft released a Fix-it patch earlier this month to address the issue. The temporary workaround was designed to crash the browser before the exploit could be run but such efforts were trumped in less than a day. Peter Vreugdenhil from Exodus Intelligence reportedly reverse engineered the code and compromised a fully patched system with a variation of the original exploit.
Vreugdenhil made Microsoft aware of the revised method last week which we can safely assume led to the full patch that we will see later today. That patch, by the way, is expected to hit the web around 10am PST we’re told. If you happen to be running IE as your primary browser, we highly recommend that you get the full fix as soon as it becomes available.
Those using Internet Explorer 9 and IE10 on Windows 8 and Windows RT systems are not affected.