A positive response has been given to Microsoft's out-of-band patch for the widely reported vulnerability in Internet Explorer.
Commentators across the industry have recommended the application of the update as soon as possible. The patch, labelled MS10-002 fixes a total of eight vulnerabilities, including the zero-day that is identified as CVE-2010-0249.
Jerry Bryant, security program manager for Microsoft Security Response Center, said: “This Internet Explorer security update was already planned for release in February. When the attack discussed in Security Advisory 979352 was first brought to our attention on 11th January, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.”
Wolfgang Kandek, CTO of Qualys, said: “By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned.
“An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.
“Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defence can be circumvented, we recommend applying this update as soon as possible.”
Jason Miller, data and security team leader at Shavlik Technologies, said: “The exploit allowed hackers to trick users into installing malware on targeted machines which could then be used to steal data.
“The attack looks like a message that's sent from a trusted source via email or social media, so when the user clicks on a link or file, it triggers the hack. The exploit opens a back door, which then compromises the machine of the target. This attack was designed to exploit PCs, netbooks and laptops using Internet Explorer version 6 running on Windows XP. By issuing this out-of-band patch now, Microsoft has cut the time hackers could use to exploit the vulnerability in advance of the 9th February Patch Tuesday bulletin releases.”
Andrew Storms, director of security operations at nCircle, commented that the patch was a ‘very run-of-the-mill patch for Microsoft', but as the vulnerability was responsible for such a high profile breach, the pressure on Microsoft to respond quickly has been extremely high.