Tuesday Microsoft said that it released MS10-018 "out-of-band" due to an increase in attacks against its two older browsers, Internet Explorer 6 and Internet Explorer 7. Normally Microsoft releases updates via its customary "Patch Tuesday" roundup. However, this rare move served an urgent response to a zero-day, drive-by download vulnerability that has been heavily exploited by attackers over the last several weeks.
According to Microsoft, the patch will address the publicly disclosed vulnerability first revealed on March 9. The problem is caused by an invalid pointer reference located within the two older browsers that can be accessed after an object is deleted-- this can allow attackers to swoop in and initialize remote code execution attacks. At the time, Microsoft claimed that the problem was limited to "targeted" attacks, however that has since changed.
"The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer," Microsoft said weeks ago. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
In addition to the zero-day exploit, the latest patch also addresses nine other vulnerabilities that even effect Internet Explorer 8. Microsoft's Jerry Bryan said that many have asked Microsoft if Tuesday's patch addresses the vulnerability that was used in the Pwn2Own contest at the CanSecWest security conference last week. Apparently that's a negative.
"We are still investigating that issue at this time so we do not have an update available," he said. "In accordance with the contest rules, the vulnerabilities used are responsibly disclosed so that the respective vendors can produce updates to protect their customers before the vulnerabilities can be used by criminals. Microsoft continues to encourage responsible disclosure and we are a sponsor of the CanSecWest conference because we believe in working closely with security researchers to protect customers and the entire computing ecosystem."
No comments:
Post a Comment