In the face of an uptick in hacker attacks targeted a zero-day flaw in its Internet Explorer browser, Microsoft has announced plans to ship an emergency IE patch on Tuesday, March 30, 2010.
The vulnerability in question only affects Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7.
Two weeks ago, an Israeli hacker was able to piece together clues to reproduce the vulnerability and release exploit code into the Metasploit hacking tool. Since then, there has been a slight uptick in attacks seen in the wild and this forced Microsoft to push ahead with plans for an out-of-band update.
The IE patch will also include fixes for several other vulnerabilities:
The out-of-band security bulletin is a cumulative security update for Internet Explorer and will also contain fixes for privately reported vulnerabilities rated Critical on all versions of Internet Explorer that are not related to this attack.
From the MSRC blog:
Internet Explorer 8 is unaffected by the vulnerability addressed in the advisory and we continue to encourage all customers to upgrade to this version to benefit from the improved security protection it offers.
We recommend that customers install the update as soon as it is available. Once applied, customers are protected against the known attacks related to Security Advisory 981374. We have been monitoring this issue and have determined an out-of-band release is needed to protect customers. For customers using automatic updates, this update will automatically be applied once it is released. Additionally, because Security Bulletin MS10-18 is a cumulative update, it will also address nine other vulnerabilities in Internet Explorer that were planned for release on April 13.
The earliest attacks against this vulnerability includeed the use of a backdoor that allows complete access to a vulnerable machine.
The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes.
- New Microsoft IE zero-day flaw under attack
- IE zero-day flaw leaks out; Exploit code published
- Microsoft offers 'fix-it' workaround for IE zero-day