Ryan Naraine at eWeek:
Microsoft Corp. is working on a plan to release an out-of-cycle patch to cover a gaping hole in its dominant Internet Explorer browser.
Sources say the MSRC (Microsoft Security Response Center) is aggressively aiming to release the emergency IE fix ahead of the December 13 Patch Tuesday schedule.
Officially, the company isn’t commenting on a timeline for the IE patch.
IE security flaws are usually not particularly newsworthy, but this one is exceptional.
Microsoft late Tuesday updated its security advisory to confirm it was aware of a zero-day exploit and a drive-by malware attack targeting the unpatched vulnerability.
Alex Eckelberry, president of anti-spyware vendor Sunbelt Software, said his company first detected the drive-by downloads earlier this week and reported its findings to Microsoft.
“This is a pretty nasty exploit. You just have to visit the [malicious] site and your computer gets hosed. It’s dropping a Trojan downloader that takes control of the victim’s machine,” Eckelberry said in an interview.
Sunbelt Software researchers have confirmed the exploit is being launched from a handful of malicious Web sites.
More by following the link. The revised security advisory has suggestions for workarounds and remediation.