With pressure from the security community mounting, Microsoft might issue an early patch for a recently discovered flaw in Internet Explorer (IE) 6. The software company had originally expected to patch the flaw in IE's Vector Markup Language (VML) rendering component on October 10, Microsoft's next regularly scheduled security update release day.
There's just one problem: Attackers have already exploited the flaw. Over the weekend, an attack was disseminated through Web hosting providers by using another flaw in software that many such providers use. For now, Microsoft says that actual attacks are "limited" and aren't "dramatic and widespread," as some news accounts have alleged.
Regardless, Microsoft intends to ship its patch as soon as it's ready. " We have been working non-stop on an update to help protect from this vulnerability," Microsoft Security Response Center Operations Manager Scott Deacon wrote in a corporate blog Friday. "We've made some progress in our testing pass for the update and are now evaluating releasing this outside the monthly cycle, as we do any time customers are under threat and we believe we can issue an update that meets our quality bar for widespread deployment. So right now we're looking at where we hit that quality bar, and if that occurs prior to the monthly cycle, then we will release \[a patch\]."
Given the schedule Deacon alluded to in the blog, Microsoft could release an update at any time. In the meantime, for more information about the vulnerability and a list of workarounds for the flaw, see Microsoft Security Advisory 925568 at the URL below.
http://www.microsoft.com/technet/security/advisory/925568.mspx
