Microsoft To Release Another Out-Of-Band Patch
Security update MS10-018 will patch the IE 6 and IE 7 vulnerability, which is caused by an invalid pointer reference within IE that can be accessed after an object is deleted, paving the way for hackers to carry out remote code execution attacks.
Update MS10-018 also fixes nine additional vulnerabilities, some of which affect IE 8, Microsoft said in a Monday blog post. Microsoft says these nine flaws "were responsibly disclosed" and that it isn't aware of any active attacks that are targeting them.
Microsoft first warned users of the zero day on March 9 and said at the time that its impact was limited to "targeted" attacks. But the subsequent appearance of exploit code forced Microsoft's hand and necessitated the out-of-band patch.
In one attack outlined by McAfee Labs, unsuspecting Web surfers that visited the domain topix21century.com were served up a drive-by download of a Trojan named notes.exe, which would them create two copies of itself in the Windows temp directory and generate a .DLL file that, when injected into IE, would give attackers remote access.
Out-of-band patches are rare, but Microsoft in January released one to deal with a major IE vulnerability that was used by hackers in China in attacks against Google and more than 30 other Silicon Valley firms.