Last weekâ€™s cyber attacks, that targeted Google and several other large U.S. companies, has certainly gotten Microsoftâ€™s attention. The attack was orchestrated, in part, through a zero-day flaw in Internet Explorer (IE). The flaw seems to be obscure, and restricted to IE 6 and IE 7, but that hasnâ€™t stopped Microsoft from releasing an out-of-cycle patch for IE.
Microsoft has acknowledgde the flaw, and says the â€œvulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.â€
Microsoft, in an announcement posted today, says the confusion surrounding this particular attack has compelled Microsoft to act now. Microsoftâ€™s primary advice: upgrade to IE 8, which is not affected by this flaw. If you donâ€™t plan to upgrade, then updates for earlier versions will be made available, with specific timing of the updates to be announced tomorrow. In the meantime, Microsoft suggests using the workarounds and mitigations provided in Security Advisory 979352.