Microsoft will deviate from its regular Internet Explorer repair schedule today by releasing a patch for older versions of its web browser, which have raised numerous security concerns over the past weeks.
The vulnerability, which is present in Internet Explorer 6, 7 and 8, is a memory corruption issue. It can be exploited by an attacker via a drive-by download, a term for loading a website with attack code that delivers malware to a victim’s computer if the person merely visits the website.
Microsoft released a quick fix for the issue earlier this month, but did not have a more permanent patch ready when it released its monthly batch of patches last Tuesday. The company will occasionally release an emergency patch if the software vulnerability is considered a high risk.
“While we have still seen only a limited number of customers affected by the issue, the potential exists that more customers could be affected in the future,” wrote Dustin Childs, Group Manager, Microsoft Trustworthy Computing Group, on a company blog on Sunday.
The patch, which will be released at 6pm GMT, will be distributed through Windows Update. Childs wrote that users will not have to uninstall the quick fix before applying the patch, which will be installed automatically for those who have automatic updates enabled.
Security vendor Symantec credited a group called Elderwood for finding the Explorer vulnerability. The group has discovered as many as nine other vulnerabilities since 2009 and appears to favour targeting defence contractors, human rights groups, non-governmental organizations and IT service providers, according to a Symantec report issued in September.