14 DAY TRIAL // Microsoft has released the second security bulletin for 2010, after what it appeared to be a slow start for the Redmond company. In the first half of January, the company offered a single bulletin addressing vulnerabilities in supported Windows platforms. In this regard, Microsoft Security Bulletin MS10-002 rated Critical is the second patch package launched this month, containing out-of-band patches designed to plug security holes in supported versions of Internet Explorer. Most importantly, Cumulative Security Update for Internet Explorer (978207) contains the update set up to resolve the Critical zero-day vulnerability in Internet Explorer which was leveraged as one of the exploit vectors in China-based attacks that targeted Google and additional US companies.
“Today, Microsoft released MS10-002 to address eight vulnerabilities in Internet Explorer, including the Remote Code Execution vulnerability reported in Security Advisory 979352. This is a cumulative update for Internet Explorer, accelerated from our regularly scheduled February release. It has an aggregate severity rating of Critical and an Exploitability Index rating of “1”,” revealed Jerry Bryant, senior security program manager, Microsoft.
Bryant underlines the fact that Microsoft has only identified attacks aimed exclusively at Internet Explorer 6, a version of the browser the software giant released back at the start of the century. “Microsoft continues to see limited and targeted attacks against Internet Explorer 6 only. However, Microsoft recommends customers deploy this security update as soon as possible to protect themselves against the known attacks,” he stated.
Cumulative Security Update for Internet Explorer (978207) represents a massive effort from Microsoft. The patch package currently available on Windows Update and Microsoft Update is made up out of 236 separate update packages, according to Dean Hachamovitch, IE general manager.
“This update actually includes 236 separate packages for all the different languages and versions of Windows and IE that customers run and Microsoft supports worldwide. We release these packages simultaneously for all supported products and languages as part of this update,” Hachamovitch noted.
“At a high level, these packages cover: Seven operating system versions: Windows 2000, Windows XP, Windows Server 2003, 2008, and 2008 R2, Windows Vista and Windows 7. Customers run 32-bit, 64-bit, as well as Itanium versions of some of these operating systems, as well as a variety of different service packs. Four different versions of IE: 5.01, 6, 7, and 8. All supported languages. Older versions of Windows require separate language-specific packages, typically between 18 and 25. Windows Vista and later operating systems have a single language-neutral binary to update IE,” he added.
Despite some government institutions rushing to advise customers to use alternative browsers, attacks against the IE 0-day were not widespread, and only targeted IE6, which means that IE7 and IE8 users were never at risk. But even so, customers running IE8 on Windows 7 benefited from an increased level of protection thanks to the added mitigations built in Vista’s successor, including defense in depth protections with DEP, ASLR, and protected mode (via UAC).