Microsoft Rushes to Patch 'Serious' Flaw in IE6, IE7

Microsoft is rushing to patch what's described as a serious flaw in Internet Explorer 6 and Internet Explorer 7 after the code for exploiting the security hole was published online.

Microsoft has announced that it is currently testing a patch for an IE6 and IE7 flaw after the exploitation code was made public by Israeli security researcher Moshe Ben Abu. Though the next Patch Tuesday is not until early April, Microsoft's Jerry Bryant said the release of the code means there would likely be a patch before then.

"We have seen speculation that Microsoft might release an update for this issue out-of-band," Bryant, a senior communications manager with the Microsoft Security Response Center (MSRC) wrote in a blog post. "I can tell you that we are working hard to produce an update which is now in testing," he said, adding, " This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows."

Microsoft warned users of the vulnerability last week, only to have research Moshe Ben Abu release the exploitation code the next day. The vulnerability is said to exist due to an invalid pointer reference being used within IE. MS says it is possible for the invalid pointer to be accessed after an object is deleted.

"In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution," Microsoft said in its advisory.

Microsoft has released an automated workaround but the Fix It is only effective for users running Windows XP and Windows Server 2003.

Read Bryant's full blog post here. Click here to access the Fix It page.