Emergency Microsoft patch fixes IE zero-day vulnerability

Microsoft will release an emergency security update for Internet Explorer that patches a remote execution vulnerability in the Web browser.

Microsoft said it will release an out-of-band patch tomorrow that fixes a remote code execution vulnerability in Internet Explorer 6 and 7 that was announced three weeks ago.

MS10-018 will fix an invalid pointer reference used by the Web browser. This will be a cumulative IE security update that will also fix nine other vulnerabilities in IE that were originally planned for the April 13 Patch Tuesday release.

Microsoft said on March 9 that under certain conditions, the invalid pointer could be accessed after an object is deleted. Using a particular attack, the vulnerability could be exploited for remote code execution. Exploit code has been released to the Metaspolit framework, prompting the emergency patch.

Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are affected; IE 8 is not.

"We recommend that customers install the update as soon as it is available," Microsoft said today in an advisory.

In its original advisory, Microsoft said attackers could use spear phishing techniques to lure users to malicious websites where malware would be downloaded onto a victim's machine. The attacker could then have the same user rights as the local user. Microsoft recommended workarounds at the time, including setting the security level for the Internet zone in IE to high, and disabling script and Active X controls.

Dig deeper on Windows Security: Alerts, Updates and Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close