Microsoft issues emergency patch for 10 IE holes

Security experts praise Microsoft for patching vulnerabilities now rather than waiting two weeks for the next Patch Tuesday, given the severity of the issues affecting Internet Explorer.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Microsoft issued an emergency security update on Tuesday to plug 10 holes in Internet Explorer, including a critical vulnerability that has been exploited in attacks in the wild.

The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. The most severe vulnerabilities could lead to remote code execution and a complete takeover of the computer if a user were to view a malicious Web site using IE, Microsoft said in the bulletin summary.

Users of IE8 and Windows 7 are not vulnerable to the flaw being used in specific attacks, according to Microsoft. However, software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.

The security bulletin also includes two other bulletins rated "important" that patch a vulnerability in Windows Movie Maker and Microsoft Producer 2003, and seven vulnerabilities in Office Excel.

Security experts were pleased that Microsoft chose to issue an emergency out-of-band patch for the critical IE hole being attacked rather than wait two more weeks for the next Patch Tuesday release.

"We expect to see these kinds of vulnerabilities now," said HD Moore, chief security officer at Rapid7 and chief architect of the Metasploit exploit database. "We're seeing at least one of these IE vulnerabilities exploited in the wild every few months and no patch available at least for three weeks...But they realized this is a bigger issue."

Users of newer versions of Microsoft software shouldn't be complacent when vulnerabilities and exploits come out that initially affect older versions of software, like IE6, because chances are that exploits exist that affect the latest versions and haven't been discovered yet or that attackers are working on them, according to Moore.

For example, initially exploit code for the main critical IE hole affected only IE6, but then a researcher last week showed that exploit code works on Windows Vista and IE7. And now Microsoft has acknowledged that IE8 could be affected, it would be just harder to exploit it, he said.

"Exploiting on Windows 7, 64-bit Windows and IE8, the techniques have become easier," Moore said. Microsoft users should "expect (exploits eventually) to apply to every version of that product."

Symantec has seen a recent spike in attempted infections through the IE security hole that has been targeted in attacks, said Joshua Talbot, security intelligence manager at Symantec Security Response.

"The typical attempted infection process seems to involve compromising a legitimate Web site then inserting an iFrame which redirects users to a malicious site," he said. Although IE8 and Windows 7 users are not affected, "hackers behind the zero-day (IE) attack will start to reverse engineer the update from Microsoft and develop an IE8 attack methodology," said Mickey Boodaei, chief executive of Trusteer, a browser security vendor.

More than 50 percent of Windows users use IE8, while 25 percent of Windows users are still using Internet Explorer 6 or 7, Trusteer said based on its customer base of 5 million users.

Microsoft initially warned that attackers were exploiting the critical IE hole three weeks ago, releasing Security Advisory 981374 during its most recent Patch Tuesday.

The vulnerabilities addressed in Windows Movie Maker, Microsoft Producer 2003, and Office Excel are less serious than the IE issues, though they work similarly by requiring an attacker to entice a victim to take action. They could allow attackers to take control of a machine remotely through a malicious file in Movie Maker, Producer, or Excel opened by a recipient.

Software affected by those bulletins includes Windows XP, Vista, Windows 7, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 and 2008 for Mac, Office Excel Viewer, Office Compatibility Pack for Word, Excel and PowerPoint 2007 file formats, Office Sharepoint Server 2007, and Producer 2003.