14 DAY TRIAL // Following the public reports of an unpatched zero-day vulnerability being actively exploited in limited and targeted attacks, Microsoft has moved extremely fast to produce a patch rendering the exploits useless. The security hole the Redmond company will plug today, January 21st, 2010, was used as one of the vectors in the now infamous attacks against Google and a roster of US-based companies, originating from China. MS10-002, as the label implies, is the second security bulletin that Microsoft will release in 2010, and it will impact all supported versions of Internet Explorer.
“We are planning to release the update as close to 10:00 a.m. PST as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities,” revealed Jerry Bryant, senior security program manager, Microsoft.
MS10-002 is what Microsoft refers to as an out-of-band security update, because it does not follow the schedule of the company’s monthly patch cycle. As noted by Bryant, MS10-002 was initially planned for availability in the second Tuesday of February 2010. Microsoft Security Bulletin Advance Notification for January 2010, published on January 20, offers insight on the patch package which the Redmond company will start serving to Internet Explorer users later today.
To this day, Microsoft has only identified limited and targeted attacks against Internet Explorer 6. However, the vulnerability affects all supported versions of Internet Explorer, including IE7 and IE8 running on Windows XP, Windows Vista and IE8 on Windows 7. The Redmond company considers the security vulnerability Critical, especially since attacks have already proven that successful exploits allow attackers to perform remote code execution.
“Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released,” Bryant added.
Internet Explorer 8 is available for download here.