Microsoft, which announced yesterday that it would create an out-of-band patch for the Internet Explorer flaw, today issued further guidance on timelines. The patch will be issued tomorrow, the company said this morning. "We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible," said Microsoft representative Jerry Bryant.
Bryant confirmed that the attack, previously thought to affect only Microsoft Internet Explorer, can be used to exploit Microsoft Office files, if a malicious Active X control is embedded in the file. The company has advised users to disable Active X in Microsoft Office to remediate this problem.
Microsoft also addressed new reports of a workaround that bypasses the Data Execution Prevention (DEP) technology that, when turned on, is meant to stop the zero-day exploit from working. Proof-of-concept code has been released demonstrating that workaround, although Microsoft hasn't seen any exploits in the wild yet.
"We have analyzed the proof-of-concept exploit code and have found that Windows Vista and later versions of Windows offer more effective protections in blocking the exploit due to Address Space Layout Randomization (ASLR). On Windows XP, attackers could make the bypass techniques more reliable," Microsoft said.
McAfee released a special version of its Stinger malware cleansing tool specifically for the Internet Explorer vulnerability, which emerged last week. Called Aurora Stinger, it detects and removes threats associated with the malware attacks, which threaten Internet Explorer 6 exclusively today, but which could theoretically be developed into attacks on later versions of the browser.
Aurora Stinger also includes a link to the McAfee Global Threat Intelligence service, a cloud-based system that will deliver information on any newly discovered variants in real time to the software tool.
Such is the urgency of the zero-day flaw that at least one unofficial patch has begun circulating for the vulnerability, according to McAfee.
"Patching is of course a good idea, just don't apply any patch," said McAfee CTO George Kurtz. "These unofficial patches may seem like a good idea as they appear to provide immediate protection, but applying a patch from an unknown source for software that was created by someone else just isn't a good idea."
Developers have released unofficial patches for Internet Explorer in the past. The Zero Day Emergency Response Team, which has not been active in three years, released several of its own patches for Microsoft products between 2006 and 2007.