Microsoft is warning users to protect themselves from a zero-day bug in Internet Explorer (IE) after it was disclosed Wednesday at the Black Hat hacking and security conference.
The announcement came just a day before Microsoft (NASDAQ: MSFT) provides advance notice regarding what bugs will be fixed on next week's Patch Tuesday.
Although Microsoft didn't initially mention the Black Hat D.C. security conference taking place outside of Washington as the source of the bug's unveiling, a company spokesperson confirmed that its Security Advisory was a response to Core Security's presentation at the event. During the presentation, researcher Jorge Luis Alvarez Medina discussed security holes in IE that could impact users of older Windows operating systems.
"Microsoft is aware of the presentation at Black Hat which describes proof-of-concept code on an information disclosure vulnerability in Internet Explorer," a Microsoft spokesperson told InternetNews.com in an e-mail. "This affects customers running Windows XP or who have disabled Internet Explorer Protected Mode."
The bug, which Microsoft did not describe, likely came to light too late to yield a full patch in tandem with next week's Patch Tuesday. Microsoft security officials stated they will issue a patch for the hole but haven't said when it will be available yet.
However, in its advisory, Microsoft published several workarounds for affected users.
It's not the first time that presenters at a Black Hat conference have confounded Microsoft and forced it to react to serious bug disclosures.
In September, presenters at a Black Hat conference in Las Vegas, disclosed a critical bug in older versions of Microsoft's Internet Information Services (IIS) Web server software.
Microsoft put out a Security Advisory at that time saying it was working on a patch and, a month later, released a Security Bulleting which included a patch that fixed the IIS bug.
The latest hole would enable a remote attacker to access files on the user's hard disk but only if the attacker actually knows the name and location of the file.
Clicking on a poisoned link in an e-mail, instant messaging session, or booby-trapped Web site could enable the attacker access -- although still with the caveat that the attacker would need to know the names of files and their locations.
Microsoft described several workarounds for affected users. For Windows XP users, the company has a Microsoft Fix It item that will automatically block the network protocol that contains the hole. Alternately, a user can choose to follow manual steps to accomplish the same thing.
Meanwhile, users of IE7 or IE8 running on Windows Vista or later, including Windows 7 and Windows Server 2008, should be safe if they have Protected Mode turned on, which is the default setting.
If the bug is deemed critical enough, Microsoft may ship the patch -- once it's coded and tested -- as a so-called "out-of-band patch," meaning the company would not wait for the next Patch Tuesday. The company did just that at the end of January when it issued an out-of-band patch for another zero-day vulnerability in, not surprisingly, IE.