Microsoft has released an "emergency" update for Internet Explorer outside of its regular Patch Tuesday schedule. For users with automatic updates turned on, the patch will be installed automatically.
Computerworld's Gregg Keizer reported, "Microsoft today shipped an emergency update for Internet Explorer (IE) to stymie attacks that have been occurring since at least Dec. 7. The 'out-of-band' update -- the label for a security fix outside a vendor's normal schedule -- was expected by experts, who last week predicted Microsoft would issue a fix for the IE flaw before the next Patch Tuesday on Feb. 12."
Ars Technica's Dan Goodin explained, "The patch fixes a 'use after free' bug in versions 6, 7, and 8 of the Microsoft browser and will be automatically installed on affected machines that have automatic updating enabled, Dustin Childs, the Group Manager of the company's Trustworthy Computing program wrote in a blog post published Monday. The unscheduled release comes just six days after Microsoft's most recent monthly Patch Tuesday batch of security updates, but it was pushed out to counter an experienced gang of hackers who have infected websites frequented by government contractors to exploit the vulnerability."
Writing for Kaspersky Lab's ThreatPost, Michael Mimoso added, "The vulnerability was reported shortly after Christmas Day when it was discovered that the Council on Foreign Relations website had been compromised and serving malware for close to a month. Soon thereafter, Capstone Turbine Co., a power equipment manufacturer for utilities, was also serving malware as were political, social and human rights websites in Russia, China and Hong Kong. Researcher Eric Romang said that since, he has seen more sites hosting exploits including an Australian telco provider, a US service provider and a US importer of used Japanese auto parts. 'After the public release of the zero day, two different variants of the zero day have been found exploited in targeted attacks against human rights activists, a Japanese tourism agency and a Taiwan petrochemical company,' Romang said."
PCMag's Fahmida Y. Rashid noted, "'The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically,' Microsoft said in the advisory. Users who update IE manually are strongly encouraged to apply the update as quickly as possible. It's important to note that Microsoft released a patch and not a cumulative update, said Wolfgang Kandek, CTO of Qualys. Users need to first make sure their version of Internet Explorer is up-to-date (and has MS12-077) installed before applying the patch (MS13-008), Kandek said."