Microsoft To Release Out-Of-Band Patch Fixing Critical IE Flaw
July 27, 2009 7:45 PM ET
Microsoft plans to release an emergency out-of-band patch Tuesday, repairing numerous critical security holes in Internet Explorer that allow remote attackers to execute malicious code on unsuspecting PC users.
Microsoft said in its advanced notification advisory Monday that it plans to release fixes for critical vulnerabilities in its Internet Explorer Web browser, which affect numerous versions of Windows running IE, including 2000, XP, Vista and Server 2008.
In addition, Microsoft also plans to release a patch Tuesday with the less severe ranking of "moderate," shoring up security holes in its Visual Studio product line that affect "certain types of applications," according to a Microsoft blog post. However, despite the "moderate" ranking, the Visual Studio bug can also be exploited remotely by hackers, according to Microsoft.
Mike Reavey, director of the Microsoft Security Response Center, said in a company blog post that the IE security update provides "defense-in-depth changes to Internet Explorer" that will simultaneously provide further protection for Visual Studio users, while also addressing privately reported critical IE flaws unrelated to the Visual Studio bulletin.
Reavey added that Microsoft Windows users who were up-to-date with the latest patches on their systems were protected from known attacks exploiting both vulnerabilities.
Security experts recommend that users apply both patches immediately once they are issued Tuesday.
According to Microsoft's vulnerability ranking system, a "critical" designation implies that an attacker could exploit the flaw remotely to create and propagate an Internet worm that replicates without any user intervention. Meanwhile, a moderate ranking generally indicates that the security hole is difficult to exploit or the flaw is mitigated by other factors that reduce the risk of attack.
The impending IE and Visual Studio security updates will be the first out-of-band patches released so far this year. Although uncommon, out-of-band patches are issued from time to time to provide immediate protection to users from "in-the-wild" attacks or otherwise address security problems that can't be postponed until the next monthly "Patch Tuesday" update release.
Microsoft released an out-of-band patch in October 2008, repairing a critical hole in the Windows Server Service. While the patch fixed the vulnerability, it didn't stop the ensuing attack that resulted in the creation and propagation of the Conficker worm in 2008 and 2009, which wreaked havoc on corporate networks and infected millions of users worldwide.
Microsoft also released an out-of-band patch in December 2008 that repaired a zero day flaw in IE's data binding function, which ultimately left a hole in the memory space that could be accessed and exploited by remote hackers.
|
Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange Law enforcement officials negotiated via e-mail for more than two weeks with an Anonymous group member trying to extort $50,000 from Symantec to keep stolen product code off the Internet. |
|
How To Sell IT Security Services To Your Customers Cyberattacks can cost a business thousands, even millions, of dollars, and can deal a death blow to some. Here's how IT solution providers can help guard against malicious attacks. |
|
Cybersecurity Experts: What They Know Could Scare You A recent report based on interviews with security experts in government, business and academia finds more than half in agreement that a worldwide arms race is taking place in cyberspace. |
 More
Slide Shows |
- Insider Threats: The Next Frontier for Security Resellers and SMBs
- Complete Security and Your Bottom Line: Sophos, Value and the Channel
- Tough Threats, Tougher Security: How You Can Leverage New Solutions To Combat A “Targeted Attack” Landscape
- Dark Clouds Ahead: Why the Mid-Market Needs To Ramp Up Cloud Security and How You Can Help Them Get There
