21 January 2010, 22:25

The emergency patch for Internet Explorer

The emergency update for Internet Explorer is a collective patch that remedies a total of eight different security flaws at once. Without a doubt, the most critical flaw concerns memory management and is the one recently exploited against companies such as Google; exploit code is already in circulation on the internet.

Microsoft has also closed at least four more holes for which malicious code will probably pop up soon. The December patch for IE reportedly fixed two other flaws in memory management at least to the extent that they can no longer be specifically exploited. Finally, Microsoft has finally gotten around to fixing the known XSS problem in Internet Explorer 8.

The security flaws affect all versions of Internet Explorer on all versions of Windows including Internet Explorer 8 on Windows 7. Users of older versions, where such protective mechanisms as Data Execution Prevention (DEP) and Address Space Layout Randomisation (ASLR) are not yet available or active, are admittedly at the greatest risk, but even these protective measures can be duped, leaving Windows users with no choice but to install this collective patch. Other Windows applications can also suffer from these security flaws if they use components of Internet Explorer, Outlook being one example. The patch also protects these applications.

And there is one other interesting thing about this vulnerability: Microsoft has confirmed that they received word of the problem last September via "responsible disclosure". The discussion about the most efficient publication strategy for security updates will probably flare up again as a result. Companies like Google and Adobe are unlikely to be pleased to hear this bit of news. but on the other hand, they were apparently still using Internet Explorer 6.

See also: