Patch for IE CSS Memory Corruption 0-Day Vulnerability Released

With the February 2011 release of the Microsoft security bulletins, Internet Explorer users are receiving patches for no less than four vulnerabilities impacting the various supported versions of IE.

Most importantly, Microsoft Security Bulletin MS11-003 Cumulative Security Update for Internet Explorer (2482017) brings to the table a fix for a zero-day vulnerability which the software giant confirmed ahead of Christmas 2010 with the launch of Security Advisory (2488013).

MS11-003 is designed to patch the CSS memory corruption flaw - CVE-2010-3971, and customers are advised to prioritize the deployment of the IE security bulletin in order to make sure that any attacks and exploits targeting the 0-day are rendered useless.

“This Security Advisory and the zero-day disclosure on which it was predicated caused discussion in the security community, and some observers thought that we might be forced to release an out-of-band bulletin to protect customers,” revealed Angela Gunn, security response communications manager.

“However, out-of-band releases are disruptive to customers and we try to avoid them where possible. Based on our capabilities to closely monitor the threat landscape, we were able to determine that attempts to attack this vulnerability were very low.

“With that information, we were able to extensively test a bulletin to be released as part of our regular bulletin cadence.”

According to Tyson Storey, Lead Program Manager, Internet Explorer, MS11-003 is rated Critical for IE6, IE7 and IE8 running on Windows clients, and only Moderate for the same versions of IE but on Windows Server.

The patches associated with this particular security bulletin have already been released to Windows Update and they will be downloaded and installed automatically on the computers of customers that have enabled automatic updating in Windows.

“This security update resolves two privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer,” Storey stated.

“The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer or if a user opens a legitimate HTML file that loads a specially crafted library file.

“An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”