In a rare move, Microsoft will release an out-of-band security fix for Internet Explorer (IE) today that corrects a flaw that could be easily exploited by malicious hackers. Microsoft generally prefers to release such fixes during its regularly scheduled, monthly security patch day. But the IE flaw was judged to be critical, so an emergency fix was prepared. Microsoft is also releasing a related, out-of-band fix for a Visual Studio flaw that is rated moderate but could result in remote code execution.
The IE security flaw, called killbit bypass, was found by researchers who posted information about possible exploits in a web video. The researchers will also present information about the flaw during the Black Hat security conference being held this week. In the video, IE is made to load an ActiveX control that is known to be bad. In the demo, the control loads the Windows Calculator applet, but it could run any code on the PC.
As of this writing, Microsoft has posted some information about the fixes on its security website. The IE flaw affects virtually every combination of Windows and IE currently in the wild. Microsoft says the fixes will be delivered electronically starting at 10:00 a.m. Pacific time today