14 DAY TRIAL // Microsoft has released an out-of-band security bulletin designed to patch 10 vulnerabilities affecting multiple releases of Internet Explorer. “Out-of-band” designates security updates for the Redmond company that do not fit the monthly patch cycle. As a general rule, the software giant releases updates on Patch Tuesday, namely the second Tuesday of every month, a move that is designed to allow customers to better plan the deployment of security bulletins. On rare occasions, when vulnerabilities are actively exploited in the wild, Microsoft takes the measure of providing protection to customers as early as possible through out-of-band security bulletins.
This is precisely the case with MS10-018, which Microsoft made available earlier to help customers fend off attacks against publicly disclosed IE7 and IE6 zero-day vulnerabilities, which were on the increase. The specific Uninitialized Memory Corruption vulnerability (detailed in Security Advisory 981374) does not impact Internet Explorer 8. “Internet Explorer 8 is unaffected by the vulnerability in Security Advisory 981374, and is not vulnerable to any of the current attacks. We have been monitoring this issue and have determined that an out-of-band release is needed to protect customers. Microsoft recommends that customers test and deploy this security update as soon as possible,” Jerry Bryant, group manager, Response Communications Microsoft, revealed.
In addition to deploying MS10-018, customers can also at least start planning IE8 upgrades throughout their environments, as the latest iteration of IE is superior to IE7, and especially to IE6 in terms of security. Still, as no piece of software if bulletproof, MS10-018 is also designed to plug IE8 security holes. After all, the cumulative update for Internet Explorer was initially planned for release on the 13th of April, per the company’s normal update cycle.
“The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability (CVE-2010-0806), and the update has reached the appropriate quality bar for distribution to customers. Releasing the update early provides Internet Explorer 6 and 7 customers protection against the active attacks and provides users of all versions of Internet Explorer protection against nine other vulnerabilities,” Bryant added.
As users can see in the table on the left, IE8 is affected by just three vulnerabilities, only two of which are considered Critical. By comparison, IE7 was hit by seven security flaws, five of which Critical, with IE6 impacted by eight vulnerabilities, seven Critical. “The most severe vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. However, customers whose accounts are configured with fewer user rights, such as not running in administrative mode on the system, may be less impacted than those who operate with administrative user rights,” Bryant said.
