[Infowarrior] - MS to release emergency IE fix on Tuesday
Richard Forno
rforno at infowarrior.org
Tue Mar 30 00:01:30 UTC 2010
MS to release emergency IE fix on Tuesday
Drive-by download risk prompts out-of-sequence patch
By John Leyden • Get more from this author
Posted in Enterprise Security, 29th March 2010 19:05 GMT
http://www.theregister.co.uk/2010/03/29/ie_emergency_fix/
Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer.
A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploit by hackers over recent weeks. The latest version of Microsoft's browser - IE 8 - is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March.
The vulnerability involves a flaw in the iepeers.dll library involving the handling of invalid values passed to the "setAttribute()" function. Exploits create a means to drop malware onto the PCs of victims, providing they visit booby-trapped website using vulnerable version of IE, as explained in our earlier story here.
In a statement, Microsoft said it had taken the unusual but far from unprecedented step of releasing a patch outside its regularly Patch Tuesday update cycle after monitoring the situation and reaching the conclusion that "an out-of-band release is needed to protect customers". The update also includes fixes for nine other vulnerabilities in IE that Redmond had initially planned to release on 13 April. ®
More information about the Infowarrior
mailing list