Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

Microsoft to fix IE zero-day security bug next week

Six updates to fix critical flaws in Windows, IE, Office

By Gregg Keizer | Computerworld US | Published: 10:26, 04 December 2009

Microsoft today said it will deliver six security updates on Tuesday, including one that will patch a vulnerability in Internet Explorer (IE) the company admitted only last week.

The updates will patch a total of 12 flaws in Windows, IE and Microsoft Office, the company said in a follow-up entry to its security response centre's blog .

At the top of the patch list, even Microsoft's own, will be an update for IE 5.01, IE6, IE7 and IE8 that has been pegged as "critical", the firm's highest severity rating in its four-step scoring system.

Related Articles on Techworld

The update will address an IE zero-day vulnerability that Microsoft confirmed 23 November in a security advisory. "I want to point out that Internet Explorer 8 is not affected on any platform and that running Protected Mode in Internet Explorer 7 on Windows Vista mitigates this issue," said Jerry Bryant, a spokesman for the Microsoft Security Response Center (MSRC), in a blog post announcing the advisory last week.

Microsoft's advisory was its reaction to proof-of-concept attack code that had gone public several days before, when it was posted to the popular Bugtraq security mailing list. The sample code exploited a flaw in IE's layout parser, and could be used to hijack fully-patched Windows machines.

Next Tuesday's update, however, will quash bugs in all still-supported versions of IE, not just IE6 and IE7, a fact Microsoft confirmed today . "We want to make customers aware that we will be addressing the vulnerability discussed in Security Advisory 977981 in the IE bulletin on Tuesday," Bryant said in another blog post.

The advisory Bryant called out was the one Microsoft issued last week. "We know that customers are concerned about this issue and we are also aware that Proof of Concept (PoC) code is available publicly."

Microsoft's advance notification spelled out the significance of the problem with IE: All versions of its browser contain one or more flaws when run on Windows 2000, Windows XP, Vista, Server 2003 and even Windows 7. Only the company's newest server products -- Server 2008 and Server 2008 R2 -- are somewhat safer.

However, that doesn't mean IE 5.01 and IE8 are suddenly vulnerable to last week's zero-day exploit, said Andrew Storms, director of security operations at nCircle Network Security. Microsoft confirmed to Storms that the IE update contains fixes for multiple vulnerabilities; it's not unusual for Microsoft to quash several bugs in a single update.

"Last week's zero-day is still not applicable to IE8," Storms said after he consulted with MSRC. "Some other bug is also being patched in the same bulletin."

The attack code that went public 20 November was not only unreliable, according to security experts who dived into the exploit, but was touted as only affecting IE6 and IE7 on Windows XP. Later, Microsoft said that Vista users would be protected to a degree not enjoyed by XP customers because the former's "sandbox" would limit the ability of the exploit to compromise the PC.

Most outside security researchers, including Storms, were pessimistic last week when asked whether Microsoft could scramble fast enough to fix the flaw in IE6 and IE7. Today, he was impressed. "I would have wavered last week [on] whether they would fix it," he admitted. "But given the impact [of the vulnerability] and the fact that there's code out there, I'm not surprised that they managed it."

Other updates slated for release on 8 December include patches for bugs in Windows; Office 2000 and Office 2003; and Microsoft Project 2000, 2002 and 2003. Three of the six updates will be tagged critical, while the remaining trio will carry the "important" label.

"Frankly, the rest don't matter at this point," said Storms, referring to the non-IE updates. "IE is the top of the news for Microsoft today, and will be next week."

The bright spot, said Storms, is that Microsoft keeps ladling more information onto its pre-Patch Tuesday notification , a preview customers rely on to plan their patching strategy for the following week.

"They're blogging and telling us the number of vulnerabilities and the [affected] applications now, which is great," Storms said, applauding Microsoft's moves. "They continue to increase the amount of information they provide. They're setting a real trend here."

Microsoft will release the six updates at approximately 1pm ET on 8 December.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.