In association with heise online

31 March 2010, 10:22

Ten birds with one stone - Microsoft patches Internet Explorer

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Microsoft Logo Microsoft has released an out-of-schedule update, closing the critical hole in Internet Explorer which has been known for about three weeks (iepeers.dll) – as well as nine further, previously unknown holes. However, not all of the holes are contained in all the supported versions. The risk of a successful attack also varies with the browser version and Windows version targeted. This is due to the improved security features in recent versions of IE (such as protected mode) and Windows (DEP, ASLR).

The "F1 hole" disclosed four weeks ago still remains unpatched. It targets the MsgBox VBScript function, which can download help files (.hlp) from a remote source and execute arbitrary commands via macros contained in these files. However, this does require some user interaction as the user must confirm by pressing the F1 key.

It seems Microsoft did not have enough time to also patch the hole in Internet Explorer 8 recently disclosed during the Pwn2Own contest. Contestant Peter Vreugdenhil managed to crack Internet Explorer 8 on Windows 7 despite ASLR and DEP. The available information about this security hole, however, is currently limited to a rather unspecific post by VreugdenhilPDF.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit