The software maker said on its website it released the software, known as a “Fix It,” as an emergency measure to protect customers after learning about “extremely limited, targeted attacks” that made use of the newly discovered bug.
Microsoft said the attacks took advantage of an undiscovered flaw, or “zero day” vulnerability in industry parlance.
State-sponsored hacking groups are often willing to pay hundreds of thousands of dollars for zero-day vulnerabilities in widely used software such as Internet Explorer, according to security experts who track that market.
They typically use them on small numbers of carefully selected, high-value targets, to keep such flaws secret.
Once Microsoft issues a warning about a zero-day bug, other groups of hackers involved in massive cyber-crime operations, such as identity theft, rush to reverse-engineer the Fix Its so they can build computer viruses that also exploit the same vulnerabilities.
Security experts said Internet Explorer users should either immediately install the Fix It or stop using the browser until Microsoft can put out an update, which will be automatically installed through its Windows Update program.
“With the Fix It out, I’m sure any attacker who is a bit sophisticated can figure out what the flaw is and implement a similar exploit in their own attack toolkit,” said Wolfgang Kandek, chief technology officer with the cybersecurity firm Qualys Inc.
“Fix Its” are pieces of software for remediating security flaws that must be downloaded and installed on PCs. They are designed to protect customers while Microsoft prepares official updates, automatically delivered via the Internet to be installed on computers.
Kandek said he expects Microsoft to push out an update to address the issue within two to three weeks.
The Fix It can be installed by clicking on a link this page on Microsoft’s support site: http://bit.ly/19aFz4N
(Reporting by Jim Finkle; editing by Jackie Frank)