Microsoft Patches Critical Flaw in Internet Explorer

Submitted by Anthony Kwan on

From DailyTech: While some flaws go unexploited and turn out to be relatively harmless, a recent flaw in Microsoft's Internet Explorer browsers led to some serious damage. Chinese hackers used the memory flaw to execute remote code and steal valuable information from some of the tech industry's biggest firms, including Google and Adobe. Even as investigators sort out the mess, Microsoft is moving to plug the source of the problem.

Late last week Microsoft released a new patch which fixes several memory flaws in Internet Explorer 5, 6, 7, and 8 (IE 8 has memory protections, which typically make these flaws much harder to exploit). The updates are available here for a variety of Windows operating systems under the Microsoft post MS10-002. Microsoft calls the update "critical" for most of its operating systems.

The update was important enough that Microsoft aired it "out of band". Typically Microsoft releases patches once a month (on a Tuesday known as "Patch Tuesday") business IT administrators typically grab these monthly packages and the patches also trickle down to public consumers via Windows Update. In this case, the patch was deemed critical enough to release a special early patch to help safeguard businesses.

One trojan that exploits the flaw -- Trojan.Malscript!html -- has already polluted the internet, currently being found on multiple sites, according to Symantec security researchers (the linked entry hasn't been update yet -- it has since spread to more sites). While Internet Explorer typically warns when files are being downloaded, the cleverly programmed trojan bypasses this dialog giving the user no indication that foul play is afoot.

Microsoft has had its hands full lately. In addition to the IE flaw, much attention was also drawn to an elevation of privilege vulnerability in a Windows subsystem typically used with legacy code. This flaw, though, was less dangerous as it would only allow a user who already had local access to the system to execute code with administrative rights.

View: Article @ Source Site

Connect with us

Know us more

© Since 2005 APH Networks Inc. All trademarks mentioned are the property of their respective owners.