Microsoft knew of IE zero-day flaw since last September

Summary:Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center's (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

The patches are included in the critical MS10-002 bulletin.

[ SEE: Adobe confirms 'sophisticated, coordinated' breach ]

The vulnerability used in the attacks (CVE-2010-0249) was private reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

[ SEE: MS confirms 17-year-old Windows vulnerability ]

Even if you don't user Internet Explorer for regular Web browser, it's important for Windows users to apply this update immediately.  That's because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.

"Customers would have to open a malicious file to be at risk of exploitation," Microsoft's Bryant said, urging users to disable ActiveX controls in Microsoft Office.


Topics: Security, Enterprise Software, Microsoft


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.