Microsoft Swats IE Zero-Day in Emergency Security Patch
Microsoft fixed a total of 10 vulnerabilities impacting Internet Explorer in a security update March 30. So far, only the zero-day bug impacting IE 6 and 7 is known to be under attack.Microsoft issued an emergency patch March 30 for a zero-day bug affecting Internet Explorer, closing a security hole exploited by attackers this month in assaults on IE 6 and 7 users. The update was initially going to be issued as part of April's Patch Tuesday release and actually includes fixes for a total of 10 IE vulnerabilities. Only the zero-day, however, has been reported as under attack.
Microsoft first warned of the vulnerability, which is caused by an invalid pointer reference, during this month's Patch Tuesday. Though the bug does not affect Internet Explorer 8, attackers were able to exploit the situation on IE 6 and IE 7 to run arbitrary code. According to Microsoft, if Internet Explorer attempts to access an object that has either not been initialized or has been deleted, it can corrupt memory and leave the user open to remote code execution by an attacker.