I wasn't planning on posting today, but when I read this, I felt I should whip something up quickly.
Security researchers have released attack code that exploits an unpatched bug in Microsoft's Internet Explorer (IE) and sidesteps defenses baked into Windows 7.
Microsoft late Wednesday confirmed that all versions of Internet Explorer (IE) contain a critical vulnerability that attackers can exploit by persuading users to visit a rigged Web site. The site can then hijack personal data and install malicious code and/or malware. This will bypass all security software and Windows 7 protestion. Network Administrators and IT Professionals can download EMET 2.0 from MS who claim it can be configured to protect servers.
MS Security Advisory (2488013) HERE.
Although the company said it would patch the problem, it is not planning to rush out an emergency update.
The next regularly-scheduled Patch Tuesday is Jan. 11, but because Microsoft usually updates the browser every other month, and just did so last week, it's possible the vulnerability won't be addressed until February.
Microsoft's usual practice is to release an emergency fix only if attacks appear and then grow in strength. Microsoft has never revealed how it sets the point at which a rush patch is triggered.
The vulnerability in IE6, IE7 and IE8 surfaced several weeks ago when French security firm Vupen disclosed a flaw in IE's HTML engine.
The bug first surfaced earlier this month when French security firm Vupen announced it had uncovered a flaw in IE's HTML engine, however the vulnerability was noted and explained earlier in a Chinese trade publication.
Doc suggests using Firefox, Opera, or any non iE based browser until this vulnerability is patched.