Emergency IE update patches 10 critical security holes
Summary: The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft's flagship browser, including the newest Internet Explorer 8.
Microsoft today shipped a cumulative Internet Explorer update with patches for 10 security holes, including a drive-by download vulnerability that's already being used in malware attacks.
The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft's flagship browser, including the newest Internet Explorer 8.
From the bulletin:
The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
The patch comes a full three weeks after the appearance of targeted drive-by download attacks that dropped a backdoor on a hijacked Windows computer.
The backdoor allowed an attacker to perform various functions on the compromised system, including uploading and downloading files, executing files, and terminating running processes.
[ SEE: New Microsoft IE zero-day flaw under attack ]
This chart from the MSRC blog provides a simplified view of the ten vulnerabilities and their aggregate severity on Internet Explorer 6, 7, and 8:
* CVE-2010-0806 vulnerability under active attack.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Wow
That's right. The 'wow' begins now.
9.6MB on Windows XP SP3. nt
Are limited rights users effected?
Limited rights users are affected.
As for privilege escalation these vulnerabilities do not appear to permit that. However a blended attack using a vulnerability that does may open the door.
Am I imagining things or did 50 comments just disappear into thin air again
No
And we thank you, oh gracious mods.
Really? Are they deleting non-relevant posts?
Man, I was hoping to read all about
Now I have to read discussion about the actual article...
Its the magic of Microsoft's gift to ZDNet
I only use IE for windows update.
Actually...
True, but it still only updates Internet Explorer.
It updates other things as well
Oh and Outlook. Whoopy.
Having to browse from random website A to random website B updating stuff just isn't fun.
I like...
However, which do you prefer RPM, or is there a more modern package manager?
Secunia PSI won't update anything, it just lets you know when..
Same with FileHippo, minus the "only security updates part".
Synaptic is a nice GUI for apt that's officially supported by most distros, and will keep [i]everything[/i] (even Linux itself) up-to-date, automatically.
It also lets you install/uninstall everything from a nice, central location, with all packages cryptographically signed.
That is pretty much...
apt get ... I hear that is close to the appropriate prefix, though my punctuation is atrocious on any FOSS solution.
That is not correct, AzuMao
I suggest upgrading to the full Microsoft Update engine, however. On Vista and 7, there's a checkbox to do that. [u]Microsoft[/u] Update can update additional MS software such as Office, Silverlight, Network Monitor, etc.
Going back to monkeyman1140's comment, I think he might've been implying that he doesn't need to keep IE updated since he personally uses it only for Windows Update. But it's best from a security standpoint to keep IE up-to-date whether [u]you[/u] use it or not, so that if something tries to exploit it, you've got the most exploit-resistant version, which is definitely IE8 thanks to its dedicated DEP, SmartScreen and ActiveX opt-in-only behavior.