What you need to know about Microsoft's emergency IE patch

Microsoft has released security bulletin MS10-018 ahead of Patch Tuesday in response to a zero-day exploit

So far 2010 hasn't been kind to the Microsoft Internet Explorer Web browser. It is only March, and Microsoft is releasing the second emergency out-of-band patch to respond to a zero-day exploit in the wild.

Microsoft released security bulletin MS10-018 today--an update rated as Critical which includes 10 patches affecting all versions of Internet Explorer, including the current zero-day exploit being used to attack IE6 and IE7 browsers. Exploit code for the IE zero-day, dubbed "iepeers", is circulating on the Internet.

Qualys CTO Wolfgang Kandek wrote a blog post stating "Microsoft's decision to accelerate the release rather than waiting until next Patch Tuesday on April 13th is an indication that attacks against the "iepeers" vulnerability are on the rise."

Andrew Storms, Director of Security Operations for nCircle, stresses "Microsoft has a strong commitment to their regular monthly patch cycle, so issuing this patch clearly shows the elevated threat levels related to this zero-day bug. Users that are slow to patch risk remote code execution attacks that can take over a computer."

"Symantec has also observed a recent spike in attempted infections via this security hole. The typical attempted infection process seems to involve compromising a legitimate Web site, then inserting an iframe which redirects users to a malicious site," explains Joshua Talbot, security intelligence manager, Symantec Security Response.

nCircle's Storms declares "All users should install this new patch immediately, and if you haven't already upgraded to IE8, now is a very good time to seriously consider it."

Kandek concurs with that assessment, stating "All users of Internet Explorer 6 and 7 should patch immediately, as the exploit for these versions in known and becoming more popular."

It is worth noting that IE8 is not affected by the zero-day exploit that drove the urgency for this out-of-band update. However, the security bulletin addresses a range of Internet Explorer flaws, including two other critical vulnerabilities that do affect Internet Explorer 8.

Kandek cautions "IT Admins will have to decide whether they can take the risk of patching IE8 only during next Patch Tuesday--two weeks out--or whether to patch sooner and incur the cost of having two separate patch days."

Microsoft responded with unusual expediency to this zero-day exploit, leading many to question how Microsoft was able to develop a patch so quickly. The answer, according to Storms, is "the bug was responsibly disclosed to them before it became public." Basically--it was a zero-day to the general public, but Microsoft was already aware of it and actively researching the fix.

There is another known zero-day vulnerability for Internet Explorer that is not addressed in this update, and Microsoft is still investigating the flaw used to hack Internet Explorer 8 and compromise a fully-patched Windows 7 system at the recent Pwn2Own competition, so Microsoft will still be hard at working patching Internet Explorer.

One thing is increasingly clear with each passing exploit--organizations need to abandon Internet Explorer 6 as soon as possible, and make the switch from Windows XP to Windows 7. Windows 7 and IE* are not impervious--as illustrated by the Pwn2Own contest, but attacking IE6--especially when its running on Windows XP--is just trivial at this point.

Tony Bradley is co-author of Unified Communications for Dummies . He tweets as @Tony_BradleyPCW . You can follow him on his Facebook page , or contact him by email at tony_bradley@pcworld.com .

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityInternet Explorer

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?