Microsoft Readies Patch for Recently Uncovered, Actively Exploited IE Vulnerability
On Tuesday, March 9, Microsoft rolled out two security bulletins that addressed a total of 8 security holes in the Windows operating system and Office productivity suite. On the same day, Microsoft announced it is aware of a new vulnerability that “exists due to an invalid pointer reference being used within Internet Explorer.” If a person with malicious intent were to exploit the vulnerability, said Microsoft at the time, then that attacker could perform remote code execution on the targeted machine.
The bad news surfaced just a few days after Microsoft announced this vulnerability – people with malicious intent were indeed actively exploiting it to infect Windows-powered computers with a Trojan. The upside is that the latest iteration of the Microsoft-developed browser, Internet Explorer 8 (IE8), is not affected. Only IE6 and IE7 are affected, so at least from a security point of view, you are well advised to upgrade.
When Microsoft uncovered this IE vulnerability, it released Security Advisory 981374 to provide its customers guidance on how to stay protected. On Friday, March 12, that security advisory has been updated to provide new workaround information.
“On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With [Friday]’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers,” Senior Security Communications Manager Lead with the MSRC (Microsoft Security Response Center), Jerry Bryant said.
Since the vulnerability is being actively exploited in the wild, it is believed that Microsoft will roll out an out-of-band patch. Jerry Bryant confirmed that an out-of-band patch remains a possibility.
“We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs,” said Bryant.
To my mind, I think you should use this occasion to upgrade from IE6 and IE7 to IE8, the safest browser in the Internet Explorer range.
The bad news surfaced just a few days after Microsoft announced this vulnerability – people with malicious intent were indeed actively exploiting it to infect Windows-powered computers with a Trojan. The upside is that the latest iteration of the Microsoft-developed browser, Internet Explorer 8 (IE8), is not affected. Only IE6 and IE7 are affected, so at least from a security point of view, you are well advised to upgrade.
When Microsoft uncovered this IE vulnerability, it released Security Advisory 981374 to provide its customers guidance on how to stay protected. On Friday, March 12, that security advisory has been updated to provide new workaround information.
“On Wednesday we added a workaround to the advisory that helps to mitigate the vulnerability by disabling the peer factory class through the modification of a registry key. With [Friday]’s update, we have added a Microsoft Fix It to automate this workaround for Windows XP and Windows Server 2003 customers,” Senior Security Communications Manager Lead with the MSRC (Microsoft Security Response Center), Jerry Bryant said.
Since the vulnerability is being actively exploited in the wild, it is believed that Microsoft will roll out an out-of-band patch. Jerry Bryant confirmed that an out-of-band patch remains a possibility.
“We have seen speculation that Microsoft might release an update for this issue out-of-band. I can tell you that we are working hard to produce an update which is now in testing. This is a critical and time intensive step of the process as the update must be tested against all affected versions of Internet Explorer on all supported versions of Windows. Additionally, each supported language version needs to be tested as well as testing against thousands of third party applications. We never rule out the possibility of an out-of-band update. When the update is ready for broad distribution, we will make that decision based on customer needs,” said Bryant.
To my mind, I think you should use this occasion to upgrade from IE6 and IE7 to IE8, the safest browser in the Internet Explorer range.
