Redmond Mulls Emergency Patch for IE Attacks

Microsoft Corp. is working on a plan to release an out-of-cycle patch to cover a gaping hole in its dominant Internet Explorer browser.

Sources say the MSRC (Microsoft Security Response Center) is aggressively aiming to release the emergency IE fix ahead of the December 13 Patch Tuesday schedule.

Officially, the company isn't commenting on a timeline for the IE patch. A Microsoft spokeswoman said the creation of security updates is "an extensive process involving a series of sequential steps."

"There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges."

However, a source familiar with the company's thinking said the out-of-cycle update is dependent on the patch holding up through a "very rigorous" quality assurance testing process.

"If the patch isn't ready from a quality standpoint, it won't be released. But with an attack already underway, I think you'll see an emergency patch," the source said.

Microsoft late Tuesday updated its security advisory to confirm it was aware of a zero-day exploit and a drive-by malware attack targeting the unpatched vulnerability.

Alex Eckelberry, president of anti-spyware vendor Sunbelt Software, said his company first detected the drive-by downloads earlier this week and reported its findings to Microsoft.

"This is a pretty nasty exploit. You just have to visit the [malicious] site and your computer gets hosed. It's dropping a Trojan downloader that takes control of the victim's machine," Eckelberry said in an interview.

Sunbelt Software researchers have confirmed the exploit is being launched from a handful of malicious Web sites.

He said the drive-by exploit was successfully loading pornography-themed spyware programs on fully patched Windows XP SP2 machines.

"If there's one time Microsoft needs to go out-of-cycle with a patch, this is it," Eckelberry declared.

Stephen Toulouse, an MSRC program manager, said Microsoft's anti-virus engine has been updated to detect the latest attack, which drops a piece of malware called TrojanDownloader:Win32/Delf.DH.

Anti-virus vendor McAfee Inc. identified it as JS/Exploit-BO.gen and confirmed it was using the zero-day "Window()" remote code execution exploit released last week by a UK-based group called "Computer Terrorism."

Eckelberry said that he was aware that Kaspersky Lab and Symantec Corp. had updated its virus definitions to detect the latest attack.

In Microsoft's advisory, the company recommends that customers can visit its new Windows Live Safety Center and use the "Complete Scan" option to check for and remove the malicious software and future variants.

The Safety Center, which is part of the company's new 'Windows Live' initiative, lets customers run free Web-based computer scans to detect and remove viruses and other known malware.

It currently works only on IE and uses an ActiveX Control to scan for and remove viruses. It is also capable of detecting vulnerabilities on Internet connections.

Johannes Ullrich, chief research officer at the SANS ISC (Internet Storm Center), said in a recent interview that the severity of the vulnerability and the public release of exploit code should force Microsoft into releasing an out-of-cycle update.

"This one certainly qualifies for an emergency patch. How much worse can it get? At this stage, you really can't wait for next month to get a fix out there," Ullrich said.

Since moving to a monthly release cycle in late 2003, Microsoft has released three out-of-cycle patches, all for "critical" IE flaws.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.