Microsoft Swats IE Zero-Day in Emergency Security Patch

 
 
By Brian Prince  |  Posted 2010-03-30
 
 
 

Microsoft issued an emergency patch March 30 for a zero-day bug affecting Internet Explorer, closing a security hole exploited by attackers this month in assaults on IE 6 and 7 users.

The update was initially going to be issued as part of April's Patch Tuesday release and actually includes fixes for a total of 10 IE vulnerabilities. Only the zero-day, however, has been reported as under attack.

Microsoft first warned of the vulnerability, which is caused by an invalid pointer reference, during this month's Patch Tuesday. Though the bug does not affect Internet Explorer 8, attackers were able to exploit the situation on IE 6 and IE 7 to run arbitrary code. According to Microsoft, if Internet Explorer attempts to access an object that has either not been initialized or has been deleted, it can corrupt memory and leave the user open to remote code execution by an attacker.

"If administrators used any of the workarounds suggested in the security advisory (KB981374) that prompted this out-of-band release, it is important for them to un-apply the workarounds," Jason Miller, data and security team manager at Shavlik Technologies, said in a statement. "This will restore functionality that was lost due to the temporary fix."

Of the remaining vulnerabilities, only three affected IE 8. However two of those-an uninitialized memory corruption issue (CVE-2010-0490) and an HTML object memory corruption vulnerability (CVE-2010-0492)-are rated "critical."

"With any zero-day exploit that is being actively targeted, it is critical for administrators to patch their systems as soon as possible," Miller said. "Some patch maintenance cycles are scheduled over weekends to accommodate the known downtime. While many are planning for a long holiday weekend, administrators should not wait to patch this until next week as we know that hackers won't be taking the weekend off."


Rocket Fuel