Microsoft will be releasing an unscheduled security patch later today to fix a ‘zero day’ vulnerability affecting its browser, Internet Explorer.
The vulnerability was discovered in December. Security vendor FireEye said that it had been used to compromise the website of the Council of Foreign Rleations, an independent advisory, on December 21.
In a post on December 29, Microsoft said the vulnerability, which affects versions 6, 7, and 8 of Internet Explorer, could allow hackers to execute code remotely on users’ machines if they visit certain malware-infected websites. The company said the vulnerability does not affect versions 9 or 10 of Internet Explorer.
Initially, it released a temporary Fixit tool that it said would protect machines against the vulnerability. However, security provider Sophos said machines were being infected even after that tool was installed.
Microsoft has labelled the new security patch, due out later today, as critical, meaning that the vulnerability "could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email".
It is being released outside of Microsoft’s scheduled cycle of security pataches.