March 30, 2010

Microsoft pushes emergency browser fix for 10 bugs

Microsoft on Tuesday pushed out an emergency patch for a publicly known Internet Explorer (IE) vulnerability that has faced increasing exploits in recent days.

The flaw, which can permit the execution of remote code, affects only IE 6 and 7, not the latest version (IE 8) of the popular web browser, according to a Microsoft advisory posted earlier this month. A fix was scheduled for April 13, but was fast-tracked "due to growing attacks," Jerry Bryant, Microsoft's group manager for response communications, said in a blog post.

Tuesday's rare, out-of-band patch — Microsoft typically only releases security updates on the second Tuesday of each month — also resolves nine other bugs, none of which were publicly known prior to Tuesday. But experts do expect attackers to now reverse engineer the patch details to create fresh exploits.

Three of the nine newly announced vulnerabilities affect IE 8. However, just one of the flaws warranted "critical" status across all versions of IE.

"I assume that basically what happened is the fix for the first vulnerability allows criminals to understand or gain information about the other vulnerabilities, so they had to release it all at once," Mickey Boodaei, CEO of internet security firm Trusteer, told SCMagazineUS.com on Tuesday.

Related Articles
Related Topics

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.