IE and Stuxnet Zero-Days Finally Patched

Microsoft has finally patched a remote code execution Internet Explorer vulnerability actively exploited in the wild since six weeks ago, as well as the last Stuxnet zero-day flaw.

Yesterday, Microsoft released a number of 17 security bulletins covering a total of 40 vulnerabilities in Windows, Office, Internet Explorer, SharePoint Server and Exchange.

Among them was CVE-2010-3962, a remote code execution flaw in Internet Explorer, exploited in targeted attacks since the beginning of November.

Proof-of-concept exploit code for the flaw has been publicly available for around a month and was even incorporated in some versions of the Eleonore drive-by download toolkit.

The vulnerability was addressed together with six other IE security holes in MS10-090, one of the two security bulletins marked as critical.

On this month's Patch Tuesday, Microsoft also patched CVE-2010-3888, a local elevation of privilege (EoP) in the Task Scheduler component on Windows Vista and 7.

This is the last of the four zero-day vulnerabilities exploited by the Stuxnet industrial espionage worm and has been known since at least August.

Even though attack code for it was also published online many weeks ago, the flaw was exclusively targeted by Stuxnet until recently.

Last week, security researchers from Kaspersky Lab warned that the exploit has been integrated in the latest versions of the sophisticated TDL4 rootkit.

The vulnerability was addressed in security bulletin MS10-092, which carries a severity rating of Important, an exploitability index of 1 and a deployment priority of 2.

The second critical security bulletin in this year's last batch of patches is MS10-091 and covers three remote code execution vulnerabilities in the Windows' OpenType Font driver.

"All three issues were privately reported and we are not aware of any active attacks using them," said Angela Gunn, senior marketing communications manager at Microsoft.