Microsoft has released its second out-of-band patch for Internet Explorer in less than three months.
As announced by SC Magazine yesterday, Microsoft released security update MS10-018 to address a publicly disclosed vulnerability in Internet Explorer 6 and Internet Explorer 7. Microsoft senior security communications manager Jerry Bryant said that the patch was a ‘typical cumulative update for Internet Explorer' and it released the patch ahead of the next Patch Tuesday on 13th April ‘due to the growing attacks against the publicly disclosed vulnerability'.
Bryant also confirmed that ten vulnerabilities on Internet Explorer 6, 7 and 8 are covered, with one vulnerability (CVE-2010-0806) under active attack. The update covers seven critical vulnerabilities in Internet Explorer 6, five in Internet Explorer 7 and two in Internet Explorer 8. Full details are displayed here.
Bryant also commented on questions about whether the update patches the vulnerability that was used in the ‘pwn2own' contest at the CanSecWest security conference last week. He said: “We are still investigating that issue at this time so we do not have an update available.
“In accordance with the contest rules, the vulnerabilities used are responsibly disclosed so that the respective vendors can produce updates to protect their customers before the vulnerabilities can be used by criminals. Microsoft continues to encourage responsible disclosure and we are a sponsor of the CanSecWest conference because we believe in working closely with security researchers to protect customers and the entire computing ecosystem.”
Andrew Storms, director of security operations for nCircle, said: “For the second time this year, Microsoft has released an out-of-band patch to address critical vulnerabilities in Internet Explorer. Let's hope this isn't the start of a bad trend for Microsoft in 2010.
“Microsoft has a strong commitment to their regular monthly patch cycle, so issuing this patch clearly shows the elevated threat levels related to this zero-day bug. Users that are slow to patch risk remote code execution attacks that can take over a computer. The security community has been wondering how Microsoft was able to release this update so quickly, and the answer is that the bug was responsibly disclosed to them before it became public.”
Alan Bentley, VP international at Lumension, said: “From an impact perspective, this is a remote code execution and impacts Internet Explorer (IE) versions 6 and 7. The unscheduled release is in response to a reported upswing in attacks against Microsoft customers as detailed in Microsoft Security Advisory 981374. This advisory also reports that there are nine other vulnerabilities that are being addressed in the IE Cumulative Update.
“Adhering to proven patch management best practices is especially important for deploying out-of-band or ‘early' patches. Additionally, this is a tangible example of the improved security model implemented in Microsoft IE 8, and should provide strong incentive for those organisations that have not yet migrated to IE 8 to do so sooner than later.”
Joshua Talbot, security intelligence manager at Symantec Security Response, said: “The catalyst for this out-of-band update is definitely increased activity around the iepeers.dll zero-day vulnerability. Symantec has also observed a recent spike in attempted infections via this security hole. The typical attempted infection process seems to involve compromising a legitimate website then inserting an iframe which redirects users to a malicious site.
“Though none of the other issues have exploit code publicly available, I think many of them will also be trivially exploitable under certain circumstances. For example, users running Internet Explorer 6 and older and those using Windows XP are at the greatest risk. Keep in mind, though, that Internet Explorer 7 and 8 users are also at risk. To make a long story short, this is a critical bulletin that needs to be applied sooner rather than later.”