After issuing a stopgap patch on Wednesday for a vulnerability that could allow attacks through its Internet Explorer (IE) browser, Microsoft announced that it will release an update to repair five flaws, including a new zero-day vulnerability.
The bugs affect IE 9 and earlier versions, and if exploited are capable of taking command of Windows PCs to infect them with malware.
Microsoft said it plans to release the fix as close as possible to 10 a.m. PDT on Friday.
As explained in Microsoft Security Advisory (2757760) released on Monday, the "remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated." The flaw could corrupt memory and allow an attacker to execute arbitrary code.
According to a blog post by Yunsun Wee, director of Trustworthy Computing for Microsoft, the vulnerabilities affected a small number of customers.
"The potential exists, however, that more customers could be affected," he wrote.
The fix will be available through Windows Update and the company recommends users install it as soon as it is available. Users with automatic updates enabled on their PC won't need to take any action.
Microsoft has been communicating with users on the issue all week, Andrew Storms, director of security operations for nCircle, said Thursday.
"Even if you think there are a lot of things Microsoft can improve, they are light years ahead of other vendors in providing clear, consistent, valuable communication to their users on security issues," he said.
Microsoft said that Friday's fix covers "other issues as well."
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition
Issue: 334 | December 2014
Access CRN's extensive online resources including; email bulletins, community discussions and unique online news.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can log on to the CRN website or start posting comments on articles.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain '@crn.com.au' to your white-listed senders.