Article

Emergency Microsoft patch fixes IE zero-day vulnerability

Michael S. Mimoso, Editorial Director

Microsoft said it will release an out-of-band patch tomorrow that fixes a remote code execution vulnerability in Internet Explorer 6 and 7 that was announced three weeks ago.

    Requires Free Membership to View

MS10-018 will fix an invalid pointer reference used by the Web browser. This will be a cumulative IE security update that will also fix nine other vulnerabilities in IE that were originally planned for the April 13 Patch Tuesday release.

Microsoft said on March 9 that under certain conditions, the invalid pointer could be accessed after an object is deleted. Using a particular attack, the vulnerability could be exploited for remote code execution. Exploit code has been released to the Metaspolit framework, prompting the emergency patch.

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are affected; IE 8 is not.

"We recommend that customers install the update as soon as it is available," Microsoft said today in an advisory.

In its original advisory, Microsoft said attackers could use spear phishing techniques to lure users to malicious websites where malware would be downloaded onto a victim's machine. The attacker could then have the same user rights as the local user. Microsoft recommended workarounds at the time, including setting the security level for the Internet zone in IE to high, and disabling script and Active X controls.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: