Microsoft will release its emergency patch for Internet Explorer (IE) today, the company has announced after it also admitted that attacks can be hidden inside rigged Office documents.
Earlier this week, Microsoft confirmed speculation that it would issue an 'out-of-band' update for the IE vulnerability, but postponed specifying a ship date last night.
Microsoft also updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China.
The revised advisory also addressed claims made by researchers that it's possible to exploit the newer IE7 and IE8 browsers, and even circumvent Microsoft's recommended defensive measure, DEP (data execution prevention). However, the advisory waffled on whether DEP bypass was effective, neither confirming or denying the researchers' allegations.
"There is a report of a new Data Execution Prevention (DEP) exploit," Microsoft said in the advisory. "We have analysed the proof-of-concept exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to Address Space Layout Randomization (ASLR)."
Even a follow-up post by Jonathan Ness, an MSRC engineer, on the company's Security Research & Defense blog declined to spell out whether the DEP bypass attacks were effective. Ness, however, did reiterate Microsoft's point that the only in-the-wild attacks seen thus far have been aimed at IE6.
He also touted the additional security that ASLR and IE's Protected Mode provide, and published a table that spelled out the current attack and threat situation for IE and Windows users.
Microsoft also admitted that the vulnerability could be exploited through malicious Office documents, a vector that had not been disclosed previously. "We are also aware that the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file," said Bryant. "To prevent exploitation, we recommend that customers disable ActiveX Controls in Microsoft Office."
Today's update for IE will patch all attack avenues, Bryant added, including the Office document vector.
The last time Microsoft shipped an emergency security update was July 2009.