March 30, 2010, 5:28 PM — So far 2010 hasn't been kind to the Microsoft Internet Explorer Web browser. It is only March, and Microsoft is releasing the second emergency out-of-band patch to respond to a zero-day exploit in the wild.
Microsoft released security bulletin MS10-018 today--an update rated as Critical which includes 10 patches affecting all versions of Internet Explorer, including the current zero-day exploit being used to attack IE6 and IE7 browsers. Exploit code for the IE zero-day, dubbed "iepeers", is circulating on the Internet.
Qualys CTO Wolfgang Kandek wrote a blog post stating "Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the "iepeers" vulnerability are on the rise."
Andrew Storms, Director of Security Operations for nCircle, stresses "Microsoft has a strong commitment to their regular monthly patch cycle, so issuing this patch clearly shows the elevated threat levels related to this zero-day bug. Users that are slow to patch risk remote code execution attacks that can take over a computer."
"Symantec has also observed a recent spike in attempted infections via this security hole. The typical attempted infection process seems to involve compromising a legitimate Web site, then inserting an iframe which redirects users to a malicious site," explains Joshua Talbot, security intelligence manager, Symantec Security Response.
nCircle's Storms declares "All users should install this new patch immediately, and if you haven't already upgraded to IE8, now is a very good time to seriously consider it."
Kandek concurs with that assessment, stating "All users of Internet Explorer 6 and 7 should patch immediately, as the exploit for these versions in known and becoming more popular."
It is worth noting that IE8 is not affected by the zero-day exploit that drove the urgency for this out-of-band update. However, the security bulletin addresses a range of Internet Explorer flaws, including two other critical vulnerabilities that do affect Internet Explorer 8.
Kandek cautions "IT Admins will have to decide whether they can take the risk of patching IE8 only during next Patch Tuesday--two weeks out--or whether to patch sooner and incur the cost of having two separate patch days."