14 DAY TRIAL // Microsoft has been hard at work building a patch for a zero-day security vulnerability affecting older versions of Internet Explorer. The security hole was first confirmed in the first half of this month, with the company indicating that a patch had been in the works as of mid-March. At that time, the software giant did mention the possibility of an out-of-band security bulletin, and with the update wrapped up, the customers will be able to deploy the patch starting today, March 30. The out-of-band bulletin is designed primarily to plug a 0-day hole in Internet Explorer 6 and Internet Explorer 7, which is already actively exploited through attacks in the wild. As underlined before, customers running IE8 are not affected by the vulnerability.
MS10-018 would be offered on March 30, 2010, at 10:00 a.m. PDT (UTC-8), Jerry Bryant, senior security communications manager – lead, Microsoft, revealed. The Redmond company has already published Security Bulletin Advance Notification for March 2010 and Security Advisory 981374, offering customers information about the out-of-band patch.
“We recommend that customers install the update as soon as it is available. Once applied, customers are protected against the known attacks related to Security Advisory 981374. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. For customers using automatic updates, this update will automatically be applied once it is released,” Bryant said.
Customers should get ready to install multiple patches with Security Bulletin MS10-18. As it is traditionally the case with IE bulletins, the latest is also a cumulative update. In this regard, MS10-18 will bring to the table a fix for the 0-day vulnerability, but also patches designed to address nine other vulnerabilities. MS10-18 was initially planned for release on April 13, but is offered earlier precisely to help customers still running IE6 and IE7 protect themselves against attacks targeting the 0-day flaw, which is related to an invalid pointer reference being used within IE.
“We have received several questions about this bulletin today. Basically, if Internet Explorer 6 and 7 are the only versions affected by the active attacks, why does the Advance Notification page state that Internet Explorer 8 and Windows 7 are affected? To clarify, the Security Advisory was released due to one vulnerability that is under active attack. That vulnerability only affects Internet Explorer 6 and 7. However, the bulletin, MS10-018, that we will release tomorrow, addresses 9 additional vulnerabilities. Some of those also affect Internet Explorer 8. All of the 9 additional vulnerabilities were responsibly disclosed and we are not aware of any active attacks against them,” Bryant added.