Microsoft Issues Out-of-Band Internet Explorer Security Patch

Download our in-depth report: The Ultimate Guide to IT Security Vendors

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  

Microsoft released an "out-of-band patch" for a security vulnerability in Internet Explorer 6 (IE6) and 7 (IE7) that the company had warned users about earlier this month.

The move marks an urgent response to a bug that's already being actively exploited in the wild, although Microsoft (NASDAQ: MSFT) said those attacks have been limited, making it a so-called zero-day vulnerability. Typically, Microsoft addresses security fixes only through its regular "Patch Tuesday" roundup of monthly updates.

Microsoft provided systems administrators with advance notice of the pending patch release on Monday.

"Organizations that are still using IE6 and IE7 should deploy this security update as soon as possible, according to their established patch management procedures and policies," Don Leatham, senior director of solutions and strategy at security researcher Lumension, said in an e-mail to "Adhering to proven patch management best practices is especially important for deploying out-of-band or 'early' patches," he added.

Shutting the door on the IE6 and IE7 vulnerability quickly became a priority only shortly after news of the problem first surfaced. The company released a Security Advisory -- i.e., a warning to users that does not contain a patch but may include workarounds -- regarding the IE6 and IE7 hole on March 9, Microsoft's most recent Patch Tuesday.

The threat became more immediate in mid-March, however, when a hacker released a Metasploit module to make it easier for other hackers to duplicate the attacks.

Users who previously applied the workarounds contained in the earlier Security Advisory may not be out of the woods quite yet: Any workarounds that users applied while they were waiting for the full-scale fix to arrive will need to be undone prior to installing the patch, according to Microsoft's Security Bulletin on the new patch.

The flaw does not impact IE8, the most current version of Microsoft's browser, which was released a year ago.

As part of the new out-of-band patch -- so called because it did not come out on Patch Tuesday but, rather, when the patch was ready and fully tested -- Microsoft also fixed nine other privately reported security flaws that had been found in most versions of IE.

The nine other security bugs patched in this out-of-band release do impact IE8, though.

Besides IE6, IE7, and IE8, the other bug fixes also block holes rated as "critical" -- the most severe ranking on Microsoft's four-tier rating scale -- in IE 5.01 Service Pack 4 (SP4) and IE6 SP1 on Windows 2000 SP4, the bulletin said.

Because the patch contains fixes for the other nine bugs as well as all previous IE patches, it is referred to as a "cumulative patch," meaning that users who have gotten behind in installing IE patches can get caught up with a single installation.

"This is an encouraging change for Microsoft, not only addressing the known issue but patching ten vulnerabilities with the out-of-band update," HD Moore, chief security officer and Metasploit chief architect at security firm Rapid7, said in an e-mail to

"Shipping patches for nine additional vulnerabilities tells me that Microsoft wants to get ahead of other issues that are prone to zero days. A year ago, they may have patched the known issue and waited two weeks for the other vulnerabilities [to be patched]," he added.

Stuart J. Johnston is a contributing writer at, the news service of, the network for technology professionals.

Submit a Comment

Loading Comments...