Microsoft is to release an out-of-band patch today for the vulnerability in Internet Explorer.
Jerry Bryant, security program manager for Microsoft Security Response Center, said that the MS10-002 patch will be released today as close to 10am PST (6pm GMT) as possible.
He said: “This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities.
“Once applied, customers are protected against the known attacks that have been widely publicised. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released.”
Microsoft also confirmed that all current versions of Internet Explorer contain a data execution prevention (DEP) bypass vulnerability. If not by-passed, DEP can help in stopping the exploit code. Newer versions of Internet Explorer, running on Windows Vista and Windows 7, are less vulnerable to an active exploit, as they have address space layout randomisation (ASLR) that provides an extra level of protection beyond DEP.
Don Leatham, senior director of business development at Lumension, said: “Microsoft has confirmed that there are active exploits attacking Internet Explorer 6. Because of these in-the-wild exploits and the amount of media and customer attention on this specific exploit, Microsoft decided it was in their customers' best interest to issue this out-of-band patch.
“Given the in-the-wild exploit code, Lumension is recommending to all customers that they immediately review their environments for computers with Internet Explorer 6 running on Windows XP. These machines should be priorities in Thursday's deployment plans for this critical security update. In the meantime, standard security practices regarding attachments, clickable links in email, and AV/AS updates should be followed.”
Joshua Talbot, security intelligence manager at Symantec Security Response, said: “Based on our in-the-field detections, this security vulnerability has only been used in a very limited number of targeted attacks so far, however they appear to be very high profile attacks.
“This security hole is so dangerous because it allows for remote exploitation. This means attackers can run any malicious code of their liking on a victim's machine by taking advantage of the vulnerability.”
Bryant also announced that a security advisory has been released to address an elevation of privilege (EoP) vulnerability in the Windows kernel. This affects all currently supported versions of 32-bit Windows, but 64-bit versions are not affected.
He said: “To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.”
Bryant said that Microsoft was not currently aware of any active attacks against this vulnerability and believed that the risk to customers is limited.