Microsoft To Roll Out Out Of Band Security Update

Microsoft Corp will issue an out-of-cycle security patch to address a zero-day vulnerability in Internet Explorer versions 6 and 7 that has been exploited in the recent few weeks to wage cyber attacks.

The security update, codenamed “MS10-018”, will plug a security vulnerability in both the IE 6 and IE 7, which is reportedly being attributed to an invalid pointer reference within the browser that can be accessed even after the object had been removed, allowing offenders to carry out remote code execution on the victim’s machine.

“The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack”, the company said in an advisory.

In addition, the out-of-band update also addresses nine security vulnerabilities, some of which even impact IE 8, the software giant quoted in a Monday blog post. The company asserted that these nine security holes “were responsibly disclosed” and that it is not yet familiar of any incidence of attacks exploiting them.

Microsoft first alerted users of the zero day vulnerability on 9th March, and asserted at that time its impact was restricted to some “targeted” attacks only.

But the subsequent release of the exploit code of the vulnerability in fact drove the company to go for an out-of-cycle security patch.

Our Comments

It all happened at the CanSecWest even last week where so many flaws were discovered and revealed that it made many companies including Microsoft and Apple, slightly uncomfortable. Both companies have already managed to get software updates out before the exploits were ... exploited.

Related Links

Emergency Internet Explorer patch out tomorrow


Microsoft hurries out patch for Internet Explorer hole


Microsoft To Release Another Out-Of-Band Patch

(Channel Web)

Microsoft breaks patch cycle for surprise IE fix

(PC Pro)

Microsoft rushes to patch zero-day IE hole