Microsoft on Tuesday issued an emergency warning about a newly discovered "zero day" attack against various versions of Internet Explorer (IE). The flaw that allows this attack could let hackers remotely gain access to users' PCs and is rated as "critical," the company's most severe security rating. Microsoft will issue a fix today.
"Microsoft issued its Advance Notification of security update MS08-078 which will address a new vulnerability allowing remote code execution in all affected versions of Internet Explorer products," a Microsoft statement reads. "Microsoft intends to release this security update [Wednesday], December 17 at 10 AM PT through Automatic Updates and Microsoft Update."
The flaw affects IE 5, 6, and 7, but Microsoft says it is only aware of attempts to compromise systems running IE 7. Microsoft's next browser, IE 8, is currently in beta but the company recommends that Beta 2 users apply the coming patch as well.
This attack is particularly scary because users can be compromised simply by visiting Web sites; it doesn't require them to click on or download anything. It's possible that even known and trusted sites could have attack code "injected" into them, and apparently a number of mostly Chinese Web sites have, in fact, been hacked to that purpose.
IE users, especially IE 7 users, are advised to download today's patch as soon as its becomes available. More information about this flaw can be found on the Microsoft Web site, though the company won't release full details until the fix is out.
http://www.microsoft.com/technet/security/bulletin/ms08-dec.mspx