Microsoft Releases Out-Of-Band Patch for IE

Microsoft has fixed an emergency drive-by download vulnerability in Internet Explorer 6 and 7.

Tuesday Microsoft said that it released MS10-018 “out-of-band” due to an increase in attacks against its two older browsers, Internet Explorer 6 and Internet Explorer 7. Normally Microsoft releases updates via its customary “Patch Tuesday” roundup. However, this rare move served an urgent response to a zero-day, drive-by download vulnerability that has been heavily exploited by attackers over the last several weeks.

According to Microsoft, the patch will address the publicly disclosed vulnerability first revealed on March 9. The problem is caused by an invalid pointer reference located within the two older browsers that can be accessed after an object is deleted– this can allow attackers to swoop in and initialize remote code execution attacks. At the time, Microsoft claimed that the problem was limited to “targeted” attacks, however that has since changed.

“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer,” Microsoft said weeks ago. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

In addition to the zero-day exploit, the latest patch also addresses nine other vulnerabilities that even effect Internet Explorer 8. Microsoft’s Jerry Bryan said that many have asked Microsoft if Tuesday’s patch addresses the vulnerability that was used in the Pwn2Own contest at the CanSecWest security conference last week. Apparently that’s a negative.

Share on Facebook