Microsoft Fixes Zero-Day Bug With Emergency IE Patch
Microsoft's cumulative out-of-band update, which was given the highest severity rating of "critical," repaired one publicly reported vulnerability and nine privately reported errors in all versions of IE, including IE 5.01, IE 6 Service Pack 1, IE 6 on Windows clients, IE 7, and IE 8 on Windows clients. However, the update was ranked as "important" for IE 6 and "moderate" for IE 8, both on Windows servers.
Originally, the IE patch was slated to be part of the April 13 Patch Tuesday update cycle, but was subsequently bumped up when Microsoft researchers began seeing an increasing amount of attacks exploiting the vulnerability on IE 6 and IE 7.
Andrew Storms, director of security operations for nCircle, said that the fact that Microsoft was releasing an emergency update just a few weeks before it was already set to be included in the regularly scheduled Patch Tuesday cycle indicated the rising severity of the attacks.
"You have to do a lot of tea leaves around this," Storms said. "If you consider that the normal release cycle is only a few weeks away, and they chose to release it, it's another indicator that the attacks have been on the rise."
Specifically, the IE error occurs because of an invalid pointer reference used within the browser, which can be accessed after an object is deleted, leaving an opening that can be used to enable remote code execution.
Subsequently, the out-of-band patch plugged security holes by changing the way that IE "verifies the origin of scripts and handles objects in memory, content using encoding strings and long URLs."
Microsoft issued a security advisory March 9 warning users of the zero-day exploit in IE. Security experts say that this particular flaw doesn't differ much from others Microsoft has previously addressed. Among other things, hackers could exploit gaping security holes in IE to launch remote attacks by enticing victims to open a malicious Web page while running IE, usually through some kind of social engineering scheme delivered via e-mail. Malware would automatically be installed once victims opened the infected site, allowing attackers to take complete control of their PC, or incorporate their machine in a global botnet.
"It's pretty typical of browser bugs. You click on a link and are taken to a Web site where there's some kind of malware that does weird things in HTML or JavaScript," Storms said.
In addition, attackers could also exploit the bug by compromising an existing legitimate Web site, or a site accepting host user-provided content or advertisements, with malicious code, which would also infect visitors running affected versions of IE.
However, IE 8 is "not affected by this issue," Microsoft said in a blog post Tuesday.
Microsoft strongly advised users to apply the emergency patch as soon as possible while upgrading to the most recent version of the browser, IE 8, in order to protect themselves from attacks. Microsoft added that the majority of users will have an automatic updating function enabled and will not be required to install the update manually.