ie8 fix
madison

The Ed Bott Report

Ed Bott
Home / News & Blogs / The Ed Bott Report

Microsoft confirms plan to release out-of-band IE update

By | January 19, 2010, 12:05pm PST

Summary: Microsoft confirmed today that it plans to release an out-of-band security update to address a zero-day vulnerability in Internet Explorer. The update is undergoing testing now.

Update 21-Jan 11:00AM PST: Security Update MS10-002 is now being delivered via Windows Update and WindowsSoftware Update Services. It is also available for manual download and installation. For details, read Microsoft Security Bulletin MS10-002.

Update 20-Jan 10:20AM PST: Microsoft’s advance notification for this security update is now available. The update itself will be delivered tomorow, January 21. According to a Microsoft spokesperson, “This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized.”

Microsoft has also updated its Security Advisory to address recent reports of exploit code (created by securit researchers) that is capable of bypassing Data Execution Prevention (DEP). Preliminary investigation suggests that the technique might be effective on Windows XP but will be more difficult to exploit on Windows Vista and Windows 7 because of an additional security feature, Address Space Layout Randomization (ASLR), available in those platforms.

I just spoke with George Stathakopoulos, General Manager of Trustworthy Computing Security at Microsoft, regarding the ongoing security issue affecting Internet Explorer. (For background, see my earlier post, It’s time to stop using IE6. For an update on the vulnerability and its impact, see this Zero Day blog post from ZDNet’s Ryan Naraine.)

According to Stathakopoulos, a security update for all versions of Internet Explorer will be released “out of band” - that is, earlier than the next regularly scheduled update cycle on Patch Tuesday, February 9. The update is currently undergoing testing, and Microsoft expects to announce a release schedule tomorrow, January 19.

Separately, Gregg Keizer at ComputerWorld reports that French security researchers claim to have circumvented the Data Execution Prevention security feature and executed their own exploit code on Internet Explorer 8 with DEP enabled. A Microsoft spokesperson says they are investigating those claims and “will take appropriate action to help protect customers.”

Stathakopoulos reiterated that Microsoft so far has seen only “very limited and targeted attacks” and confirmed that the only successful attacks have been against IE6.

I will update this post when further information is available.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “The Ed Bott Report”

Topics

Microsoft Internet Explorer, Microsoft Corp., Data Execution Prevention, Web Browsers, Security, Internet, Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

Disclosure

Ed Bott

Ed Bott is a freelance technical journalist and book author. All work that Ed does is on a contractual basis.

Since 1994, Ed has written more than 25 books about Microsoft Windows and Office. Along with various co-authors, Ed is completely responsible for the content of the books he writes. As a key part of his contractual relationship with publishers, he gives them permission to print and distribute the content he writes and to pay him a royalty based on the actual sales of those books. Ed's books written prior to fall 2011 have been distributed by Que Publishing (a division of Pearson Education) and by Microsoft Press. As of November 2011, Ed is a partner in the independent publishing company Fair Trade Digital Exchange, which exclusively publishes his books.

On occasion, Ed accepts consulting assignments. In recent years, he has worked as an expert witness in cases where his experience and knowledge of Microsoft and Microsoft Windows have been useful. In each such case, his compensation is on an hourly basis, and he is hired as a witness, not an advocate.

Ed does not own stock or have any other financial interest in Microsoft or any other software company. He owns 500 shares of stock in EMC Corporation, which was purchased before the company's acquisition of VMware. In addition, he owns 350 shares of stock in Intel Corporation, purchased more than two years ago. All stocks are held in retirement accounts for long-term growth.

Ed does not accept gifts from companies he covers. All hardware products he writes about are purchased with his own funds or are review units covered under formal loan agreements and are returned after the review is complete.

Biography

Ed Bott

Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. He's served as editor of the U.S. edition of PC Computing and managing editor of PC World; both publications had monthly paid circulation in excess of 1 million during his tenure. He is the author of more than 25 books on Microsoft Windows and Office, including the recently released Windows 7 Inside Out.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
20
Comments
Add Your Opinion

Join the conversation!

Just In

Interesting...
Pete "athynz" Athens 5th Feb 2010
people complain when MS doesn't patch things right away and when they patch something "out of band" or "out of cycle" or whatever term you want to use people STILL complain... Suck it up dude.

And what - to reply to an earlier post - does APPLE have to do with MS patch releases?
View in thread
0 Votes
+ -
Microsoft confirms plan to release out-of-band IE update
Loverock Davidson 19th Jan 2010
Not a big deal, Microsoft has released out of band patches before, this won't be the first or the last. The important thing is they recognized the vulnerability and did something about it.
0 Votes
+ -
Apple just released some patches.
Intellihence 19th Jan 2010
Where's Microsofts?
0 Votes
+ -
....
Badgered 20th Jan 2010
Apple just released some patches. Where's Microsofts?

Patch Tuesday and Out of Band patches... try to keep up.
0 Votes
+ -
RE: Microsoft confirms plan to release out-of-band IE update
DaveLG526 19th Jan 2010
Why use these idiotic tech code words like "out-of-band"?
The term means nothing to 99.9% of the population.
0 Votes
+ -
Contributr
Direct quote
Ed Bott 19th Jan 2010
That's the exact term for it, and I put it in quotes and defined it in the second paragraph.

What else do you want>
0 Votes
+ -
Part of the syndrome
JelMin 20th Jan 2010
Perhaps you could ask them to speak plainly in the first place? MS sometimes lives in a world not entirely congruent with reality, and this perversion of language is part of the psychosis. It's not that you translated for them, it's that translation was necessary at all. Still, we owe you a debt of gratitude for pointing it out, I guess.
When 2 National security authorities dump on them like they have, it'll take some considerable evidence and track record of delivery before their reputation recovers. When the problem is as bad as it seems to be, then it may be irrecoverable.
0 Votes
+ -
Two wrongs don't make a right
thinker999 20th Jan 2010
Direct quote or not, it's still wrong.

The patch may be being delivered "out of cycle," which relates to the date and frequency or regularity of delivery, but unless it's being delivered by some method other than network connectivity, it's most certainly in-band.

Let's see if we can keep the "close enough/same difference" crowd in the trade press from b@sterdizing the term "out of band," as they have already done to "hacker" and "bandwidth," shall we?

People who can't/shouldn't be expected to know the difference can be forgiven or at least tolerated. Those who do/should know better don't deserve the same tolerance for imprecision.
0 Votes
+ -
Oh Sweet Jesus! ...
mbrello@... 21st Jan 2010
Can we PLEASE stay on topic and get over "out of cycle" v. "out-of-band"??? Didn't you still understand what was being discussed??

Ed was using a direct quote from Microsoft in his article; if anyone is at fault for using wrong terminology, it's Microsoft. So let's not flame the messenger, shall we? If you don't have anything useful to contribute, ZIP IT!
0 Votes
+ -
Out of what type of band?
david@... 21st Jan 2010
"Out-of-band" certainly means NOTHING to me, even though I am an IT professional. Are Microsoft hiring a music band to provide the IE update? Or flicking elastic bands at people who are complaining about the security flaws?
0 Votes
+ -
Microsoft wants us to think they are doing us a favor
Randalllind 20th Jan 2010
So sick of Microsoft acting like they are doing us a favor by releasing a patch for a hole early that they more then likely knew about and choose to ignore for a while.

Microsoft should be ashamed for not patching holes in IE or Windows faster. They should not be praise cause they finally release a patch for a hole they knew about.
0 Votes
+ -
Contributr
Great leaps
Ed Bott Updated - 20th Jan 2010
I don't know how you assume they knew about this. Trust me, if someone had reported his vulnerability to Microsoft previously and it had been ignored, they would have screamed about it to the high heavens. Every single INDEPENDENT researcher who has written about this says it is a new, previously unreported exploit.
0 Votes
+ -
They knew about it around Thanksgiving
Randalllind 20th Jan 2010
According to Redmond Developer News they issues a warning Thanksgiving.

So they should have patched it before now all I was saying.

http://reddevnews.com/articles/2009/11/30/microsoft-warns-of-ie-6-and-ie-7-bug.aspx
0 Votes
+ -
Contributr
Completely different issue
Ed Bott 20th Jan 2010
That was an issue with CSS and it was patched on December 8.
0 Votes
+ -
Interesting...
Pete "athynz" Athens 5th Feb 2010
people complain when MS doesn't patch things right away and when they patch something "out of band" or "out of cycle" or whatever term you want to use people STILL complain... Suck it up dude.

And what - to reply to an earlier post - does APPLE have to do with MS patch releases?
0 Votes
+ -
SAAS
mehinindiana 20th Jan 2010
I didn't mean to imply that SAAS was here in a usable form. I actually agree with most of your points. On the other hand I think the trends are clear, and becoming clearer in each incarnation of SAAS.
0 Votes
+ -
RE: Microsoft confirms plan to release out-of-band IE update
david@... Updated - 21st Jan 2010
Of course, using silly terms like "out-of-band" is what made me read this article in the first place. Even though it is still a silly term.
0 Votes
+ -
RE: Microsoft confirms plan to release out-of-band IE update
jimk_z 21st Jan 2010
I know its not realistic, but I wish they would just announce a future end of life date for IE6 rendering the browser useless after that date. I can dream cant I.
0 Votes
+ -
@Ed Bott: Apology in advance for a slightly off-topic question
D T Schmitz Updated - 21st Jan 2010
Office 2010 has as you know in-built protection mechanisms referred to largely as 'sandboxing' at MSTech Net.

I have not been successful in locating for example documentation on an API in Windows 7, if any, that would give developers the ability to write into their own apps with features such as 'Protected View'.

Is there API documentation for the sandboxing that Office 2010 affords? If so, a link to it would be appreciated.

Thank you,
Dietrich
0 Votes
+ -
Contributr
Microsoft has newsgroups and developer forums
Ed Bott 21st Jan 2010
That is the appropriate place ot ask those questions.
0 Votes
+ -
OK, so when you decide it suits your purpose...
D T Schmitz Updated - 22nd Jan 2010
...you revert to applying your 'double-standard' which is oblige your readership by trying to answer their questions even if they are somewhat or even way off-topic.

I've seen you do that time and time again.

My question asked for a link to the relevant documentation, not an elaborate explanation from you.

I am going to assume you already know there isn't any API documentation for how to 'sandbox' a developer's app.

Only you are just dodging the question.

That is what we here in these parts call being: "intellectually dishonest".

That's my take on your response.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix