Today, Microsoft released an out-of-band security patch: Microsoft Security Bulletin MS10-002 – Critical, Cumulative Security Update for Internet Explorer (978207). MS10-002 address the previously announced flaw in Internet Explorer that has been widely reported as the key attack vector in reported attacks against Google and other companies by entities based in China (MS Security Advisory #979352.) Microsoft has confirmed that there are active exploits attacking Internet Explorer 6. Microsoft reports that multiple organizations assisted them in identifying the in-the-wild attacks, including: Google, MANDIANT, Adobe, McAfee and the French government CSIRT (CERTA). Because of these in-the-wild exploits and the amount of media and customer attention on this specific exploit, Microsoft decided it was in their customers’ best interest to issue this out-of-band patch. Microsoft has tried to limit out-of-band patches to help customers minimize the impact on organizations whenever critical security patches are released.
In total, this update addresses eight specific vulnerabilities in Internet Explorer. Six of them involve memory corruption flaws and six have the potential of allowing remote code execution. According to the Microsoft Security Research & Defense team, this update also address the DEP bypass vulnerability made public yesterday, which exists in all current versions of Internet Explorer. If not by-passed, DEP can help in stopping the exploit code. Newer versions of Internet Explorer running on Windows Vista and Windows 7 are less vulnerable. These versions of Windows have Address Space Layout Randomization (ASLR) that provides an extra level of protection beyond DEP. This is a clear, real-world example of the superior security model implemented in Windows Vista and Windows 7, and should be a wake-up call to organizations still running Windows XP to accelerate their migration plans.
Given the in-the-wild exploit code, Lumension is recommending to all customers that they immediately review their environments for computers with Internet Explorer 6 running on Windows XP. These machines should be priorities in deployment plans for this critical security update. Additionally, given that this vulnerability addresses six separate remote code execution vulnerabilities, it is imperative that organizations track the deployment of this patch and confirm its successful installation on all Windows computers in their organization.
