29
Mar
10

Microsoft rushes to patch zero-day IE hole

NEWS
Microsoft rushes to patch zero-day IE hole

Monday, March 29, 2010
Last modification: Tuesday, March 30, 2010: 1:05 p.m. PDT

••• Microsoft is releasing an out-of-band patch to address a vulnerability in Internet Explorer 6 and 7 on Tuesday, which if exploited would allow an attacker to compromise the targeted system. In addition to the patch addressing the widely known flaw, MS10-018 will also correct nine other vulnerabilities.

“We have been monitoring this issue and have determined an out-of-band release is needed to protect customers,” Microsoft said in a statement.

Discovered earlier this month, the flaw in Internet Explorer is caused due to a use-after-free error in iepeers.dll when handling invalid values passed to the “setAttribute” function. If exploited, the attacker would have control over the system at the permissions level of the current user. Considering most users are logged in as an administrator on their systems, the issue quickly gained notoriety.

While Microsoft said that users of Internet Explorer 8 and Windows 7 are not vulnerable, the fact that the majority of their users are open to attack caused them to push the timeline up some for the patch.

“The last time Microsoft issued an out of band patch for IE was in January, and it was for the ‘Aurora’ bug that was used to exploit Google, Adobe and other large enterprises. Given that Microsoft’s regular patch is only 15 days away, an out-of-band patch definitely means there is a serious uptick in attacks against this bug in the wild,” said Andrew Storms, Director of Security Operations for nCircle.

“Microsoft’s turnaround time on this bug was very impressive. Generally, it takes at least 30 days from advisory to bug fix release. Microsoft released the advisory on March 9th, just three weeks ago.”

Each of the ten updates in MS10-018 will be listed as Critical by Redmond, and they expect them to hit systems by 1:00 p.m. PDT on March 30.

• Microsoft Security Bulletin MS10-018 – Critical •
• Cumulative Security Update for Internet Explorer (980182)

▪ Microsoft Security Bulletin Advance Notification for March 2010
▪ Internet Explorer Cumulative Update Releasing Out-of-Band
• Source(s): Microsoft Corporation
Share

Advertisements

0 Responses to “Microsoft rushes to patch zero-day IE hole”



  1. Leave a Comment

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Calendar

March 2010
M T W T F S S
    Apr »
1234567
891011121314
15161718192021
22232425262728
293031  

Archives

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 3 other followers

© Copyright 2010 Dominic Stoughton. All Rights reserved.

Dominic Stoughton's Blog

%d bloggers like this: