In my recent post on the public release of exploit code for the Internet Explorer vulnerability that has been much in the news since it was used to attack Google, I mentioned that there were rumors that Microsoft would release a patch for the vulnerability (described in MS Security Advisory 979352) before the next regular “Patch Tuesday”, February 9.
Microsoft has now confirmed, in a post on its “Microsoft Security Response Center” blog, that it will be releasing an out-of-schedule patch for this vulnerability. The specific timing of the patch release will be announced tomorrow. I’ll post a note here when more information is available.
This is good news, although unscheduled patching is always a nuisance, especially for large organizations. According to reports received by the SANS Internet Storm Center, researchers have found that there are easy ways around some of Microsoft’s suggested mitigations, in particular the use of Data Execution Protection [DEP].