Despite sticking to its guns that the Google attack flaw in Internet Explorer 6 is limited in scope, Microsoft has promised to release an out-of-band security update to close the vulnerability in Internet Explorer 6. Out of band means that it will be released outside of the usual patch cycle.
“Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks,” Microsoft’s Security Response Center writes, “To date, the only successful attacks that we are aware of have been against Internet Explorer 6.” Microsoft advises to upgrade to IE 8, but a more obvious idea is to upgrade to a competing web browser, such as Firefox or Chrome.
“Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability,” they further explain, “We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time.”
More details and a release schedule will be published tomorrow.
In the meantime, security company Vupen claims that it has developed a proof-of-concept remote code execution exploit using this vulnerability that works on systems with DEP enabled. This proof-of-concept cannot be tested, since it is only available to Vupen customers – and they are quite picky about their customers.