Microsoft confirms critical IE bug, works on fix

From InfoWorld: Microsoft late Wednesday confirmed that all versions of Internet Explorer (IE) contain a critical vulnerability that attackers can exploit by persuading users to visit a rigged Web site.

Although the company said it would patch the problem, it is not planning to rush out an emergency update.

"The issue does not currently meet the criteria for an out-of-band release," said Carlene Chmaj, a spokeswoman for the Microsoft Security Response Center (MSRC), in an entry on the center's blog. "However, we are monitoring the threat landscape very closely and if the situation changes, we will post updates."

Chmaj also downplayed the threat posed by the bug. "Currently the impact of this vulnerability is limited and we are not aware of any affected customers or active attacks targeting customers," she said.

The vulnerability in IE6, IE7 and IE8 surfaced several weeks ago when French security firm Vupen disclosed a flaw in IE's HTML engine. Tuesday, researchers posted a video demonstration of an attack, and added a reliable exploit to the Metasploit penetration toolkit.

View: Article @ Source Site