Microsoft may have committed to patching the IE vulnerability, but it has not said whether it will ship an "out-of-band" update, or one outside the regular monthly schedule known as Patch Tuesday.
The next Patch Tuesday is Oct. 9, three weeks from today.
Storms gave the odds of an out-of-band update a "decent likelihood," but added some caveats. "As usual, the code change is probably the quick part. It's the testing requirements that will take time. Let's see them put their new IE testing resources to work," said Storms.
Storms' reference to resources was a nod to Microsoft's July announcement that it was ditching its longstanding every-other-month patch plan for IE. "We have ... increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence," Wee said at the time.
Microsoft will be more likely to release an emergency update if attacks increase or if it cannot come up with an easier way to defend IE than EMET. "If they can deliver a Fixit, they will," said Storms, talking about the automated tools that Microsoft often crafts to configure software settings. "That would [relieve] some of the pressure for a quick patch. If they can't do a Fixit and if the attacks go high, the out-of-band is sure to follow."
An alternative, others have argued, is to stop using IE until Microsoft fixes the bug. Earlier Monday, Rapid7's chief security officer HD Moore advised people to switch, if only temporarily, to Google's Chrome or Mozilla's Firefox.
"I was hoping for easier and less-obtrusive mitigations," Storms said. "My sense is Microsoft is working some late hours to get this [patch] out in a jiffy."
Sign up for MIS Asia eNewsletters.