[Infowarrior] - MS to release emergency IE fix on Tuesday

[Richard Forno]

MS to release emergency IE fix on Tuesday

Drive-by download risk prompts out-of-sequence patch

By John Leyden • Get more from this author

Posted in Enterprise Security, 29th March 2010 19:05 GMT

http://www.theregister.co.uk/2010/03/29/ie_emergency_fix/

Microsoft has announced plans to release an out-of-sequence patch, designed to resolve a zero-day vulnerability in Internet Explorer.

A cumulative update to Internet Explorer (MS10-018) plugs a security hole in IE 6 and IE 7 exploit by hackers over recent weeks. The latest version of Microsoft's browser - IE 8 - is not vulnerable to the flaw, which Microsoft first acknowledged was a problem on 9 March.

The vulnerability involves a flaw in the iepeers.dll library involving the handling of invalid values passed to the "setAttribute()" function. Exploits create a means to drop malware onto the PCs of victims, providing they visit booby-trapped website using vulnerable version of IE, as explained in our earlier story here.

In a statement, Microsoft said it had taken the unusual but far from unprecedented step of releasing a patch outside its regularly Patch Tuesday update cycle after monitoring the situation and reaching the conclusion that "an out-of-band release is needed to protect customers". The update also includes fixes for nine other vulnerabilities in IE that Redmond had initially planned to release on 13 April. ®