Microsoft plans emergency IE7 patch

The attacks on IE7 are serious enough for Microsoft to issue an out-of-cycle update

Microsoft is planning to issue an out-of-cycle update to address a new rash of attacks targeting Internet Explorer 7.

The company issued an alert on 16 December to notify users that the update will be released on 17 December to fix a security flaw in the browser which has been actively targeted in the wild.

The vulnerability is believed to exist only in IE7. Other programs and earlier versions of the browser are not thought to be at risk.

Security firm Trend Micro said that the flaw exists in the handling of certain text files launched through WordPad. A specially-crafted document could cause the application to crash, leaving the attacker able to access the targeted system and execute code.

Such remote code flaws are often targeted by attackers who embed the exploit code in web pages or disguise them as downloads or attachments.

A Microsoft spokesperson told vnunet.com that the fix will be released at approximately 10am US Pacific time through the Automatic Update and Microsoft Update applications.

Delivery of the update comes just one week after the release of what Microsoft had hoped would be the final update of 2008. The December Patch Tuesday release addressed 27 flaws, including some in Internet Explorer.

Microsoft occasionally releases 'out-of-cycle' patches when a flaw is thought to be too serious or too heavily targeted to wait until the scheduled monthly update.