Microsoft Emergency Out-of-Band Security Update


As most of you have heard there has recently been an exploit in Internet Explorer that caused data breaches at some of the largest companies in the world (including Google and Adobe).

In response to the recent vulnerability and exploit Microsoft has announced they will be releasing an Out-of-Band emergency patch today, Thursday January 21st.

Below is some of the information from the notification.

Bulletin Identifier
Microsoft Security Bulletin MS10-002

Bulletin Title
Cumulative Security Update for Internet Explorer (978207)

Executive Summary
This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 979352.

Affected Software
All supported versions of Internet Explorer on Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008*, Windows 7, and Windows Server 2008 R2*.
* Where indicated in the Affected Software table on the bulletin Web page, the vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 or Windows Server 2008 R2, when installed using the Server Core installation option. Please see the bulletin Web page at the link below for more details.

CVE, Exploitability Index Rating
CVE-2010-0244: Uninitialized Memory Corruption Vulnerability (EI = 1)
CVE-2010-0245: Uninitialized Memory Corruption Vulnerability (see note below)
CVE-2010-0246: Uninitialized Memory Corruption Vulnerability (see note below)
CVE-2010-0247: Uninitialized Memory Corruption Vulnerability (EI = 1)
CVE-2010-0248: HTML Object Memory Corruption Vulnerability (EI = 2)
CVE-2010-0249: HTML Object Memory Corruption Vulnerability (EI = 1)
CVE-2009-4074: XSS Filter Script Handling Vulnerability (see note below)
CVE-2010-0027: URL Validation Vulnerability (EI = 1)

Note: Please see the Exploitability Index table of the bulletin summary page for more details: http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx

Attack Vectors
A maliciously crafted Web page
A maliciously crafted HTML e-mail

Mitigating Factors
Users would have to be persuaded to visit a malicious Web site.
Exploitation only gains the same user rights as the logged on account. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
By default, all supported versions of Microsoft Outlook and Microsoft Outlook Express open HTML e-mail messages in the Restricted Sites zone.
By default, IE on Windows 2003 and Windows 2008 runs in a restricted mode.

Restart Requirement
The update will require a restart.

Bulletins Replaced by This Update
MS09-072

Publicly Disclosed? Exploited?
CVE-2010-0249 has been publicly disclosed prior to release.
CVE-2010-0249 has been exploited in the wild at release.

Full Details
http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx

Better yet, if you really want to be sure you’re safe use a different browser like Firefox or Opera

About ben.kevan

I am ben kevan.. Well yeah. .that's about it. More Posts

Leave a comment

Your email address will not be published.

*