The emergency patch for Internet Explorer
The emergency update for Internet Explorer is a collective patch that remedies a total of eight different security flaws at once. Without a doubt, the most critical flaw concerns memory management and is the one recently exploited against companies such as Google; exploit code is already in circulation on the internet.
Microsoft has also closed at least four more holes for which malicious code will probably pop up soon. The December patch for IE reportedly fixed two other flaws in memory management at least to the extent that they can no longer be specifically exploited. Finally, Microsoft has finally gotten around to fixing the known XSS problem in Internet Explorer 8.
The security flaws affect all versions of Internet Explorer on all versions of Windows including Internet Explorer 8 on Windows 7. Users of older versions, where such protective mechanisms as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) are not yet available or active, are admittedly at the greatest risk, but even these protective measures can be duped, leaving Windows users with no choice but to install this collective patch. Other Windows applications can also suffer from these security flaws if they use components of Internet Explorer, Outlook being one example. The patch also protects these applications.
And there is one other interesting thing about this vulnerability: Microsoft has confirmed that they received word of the problem last September via "responsible disclosure". The discussion about the most efficient publication strategy for security updates will probably flare up again as a result. Companies like Google and Adobe are unlikely to be pleased to hear this bit of news. but on the other hand, they were apparently still using Internet Explorer 6.
- Cumulative Security Update for Internet Explorer, Microsoft Security Bulletin MS10-002
- Windows hole discovered after 17 years, a report from The H.
- Internet Explorer hole: Help is at hand, a report from The H.
- German government IE warning leads to spike in Firefox downloads, a report from The H.
- Hole in Internet Explorer: Good news and bad news, a report from The H.
- UK Government won't issue Internet Explorer warning, a report from The H.
- Targeted attacks on businesses continue, a report from The H.
- US to protest against Chinese hacker attacks, a report from The H.
- Warning over using Internet Explorer from German Government as exploit goes public, a report from The H.