Internet Explorer : Microsoft corrects 10 security holes
March 31st, 2010 - 03:10 pm ET by J. G.
Microsoft has published an emergency security update for Internet Explorer which corrects ten vulnerabilities including one critical one which was exploited at the beginning of March.
Microsoft has published an emergency security update, an event which only occurs rarely outside of patch Tuesday - the second Tuesday of each month. This is the second time in 2010 that Microsoft has taken such measures for Internet Explorer, following the correction of the fault in IE6 which was used in the Chinese cyber attacks against Google.
The emergency this time was to correct a 0-day security vulnerability which was used in computer attacks. This update is only applied to version 6 and 7 of Internet Explorer, leading Microsoft to continue to recommend users to update to version 8 to benefit from increased protection measures. The fault in question surrounds the iepeers.dll software library.
The update is nevertheless cumulative, correcting other vulnerabilities. These would normally have been done on the 13th of April during the regular patch cycle, but Microsoft has instead decided to kill two birds with one stone. There are nine vulnerabilities corrected in addition to the 0-day fault (mainly linked to memory corruption) with some being critical and also affecting IE8. The big difference is that Microsoft was made aware of them confidentially which means that there were not the subject of public release.
Microsoft detailed the contents of this update in their MS10-018 security alert through the table listed below, documenting which versions of IE are affected (the asterisk corresponds to the vulnerability currently exploited by attackers):
When questioned about the vulnerability used within the Pwn2Own hacking competition, Microsoft indicated that the problem was being studied, but had not yet been corrected. It should be remembered that vulnerabilities used in this competition are reported to developers in a responsible manner; indicated by Microsoft to be without public release.