Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Microsoft patch batch includes fix for zero-day IE flaw


Microsoft delivered its monthly security update on Tuesday to rectify 12 vulnerabilities, five of which are present in Internet Explorer (IE) and comprise the most pressing patch to deploy.

That bulletin -- MS09-072 -- is the only patch that carries both a "critical" severity rating and Exploitability Index grade of 1, meaning consistent exploit code is likely. One of the five flaws was a zero-day, for which proof-of-concept code was publicly available.

"[The patch] is at the top of deployment priority list this month," Jerry Bryant, senior security program manager at Microsoft, said Tuesday in a blog post.

Microsoft originally confirmed the flaw, rated critical on all Windows platforms except Server 2008, in an advisory it released late last month. Experts anticipate malware writers will work quickly to create exploits for the bug considering the holiday shopping season is in full swing.

"Publicly disclosed details of the vulnerability are circulating and this will undoubtedly be targeted to deliver web-borne malware to unsuspecting internet users," said Paul Zimski, vice president of market strategy at Lumension, a provide of vulnerability management products. "We suggest that IT departments quickly assess and immediately patch all end-user machines throughout their organization."

Meanwhile, two of the remaining four IE flaws exclusively affect IE 8, the most recent version of the web browser, released in March.

In total on Tuesday, the software giant pushed out six patches. Aside from the IE fix, two others were deemed critical, affecting Windows and Office.

Bulletin MS09-070 also carries the highest Exploitability Index rating of 1 and addresses two previously unknown bugs in Active Directory Federation Services. However, the flaw only has an "important" rating because an attacker would have to possess login credentials for the targeted server, Bryant said.

Aside from the IE fix, administrators should not feel rushed to patch, experts said.

"Given some of the configurations that are affected, it's definitely worth taking the time to test these patches in your lab before deploying them," said Tyler Reguly, senior security engineer at vulnerability management firm nCircle. "IE is, of course, the exception to that recommendation."

Not patched is a zero-day vulnerability in the Server Message Block (SMB) protocol, explained in an advisory released last month. The company said successful exploitation of the flaw, which affects Windows 7 and Server 2008 Release 2, can lead to a denial-of-service that results in a system crash — but not the injection of malicious code. Exploit code has been published, but Microsoft is not aware of any active attacks underway.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.