'Critical' Off-Cycle IE Patch Released

Microsoft today released its second "critical" off-cycle patch for Internet Explorer this year.

The patch (MS10-018) is said to fix some 10 vulnerabilities in Microsoft's Web browser. It addresses a remote code execution (RCE) vulnerability that can be exploited if a user clicks on a corrupt Web page during an IE browsing session. The patch is a cumulative update that was released earlier than usual. It was originally planned for Microsoft's Patch Tuesday April security rollout.

Redmond explained that the fix is "critical for all supported releases of Internet Explorer." Those supported browsers include IE 5.01, IE 6 Service Pack 1, IE 6 on Windows clients, and IE 7 and 8 on Windows clients.

For Windows servers, the ratings for this security bulletin slip to "important" for IE 6 and "moderate" for IE 8.

This bulletin will fix the highly publicized zero-day vulnerability for Internet Explorer that was originally outlined in Microsoft's March security update, followed by a workaround released a week later. In addition to fixing what was addressed in earlier advisories, the bulletin will fix nine other "privately reported" vulnerabilities in IE.

IT pros who used Microsoft's workaround should start from scratch when installing this latest patch, according to Jason Miller, data and security team manager at Shavlik Technologies.

"If administrators used any of the workarounds suggested in the [March] security advisory that prompted this out-of-band release, it is important for them to un-apply the workarounds," he said. "This will restore functionality that was lost due to the temporary fix."

This latest out-of-band patch may reflect an increased tendency on the part of Microsoft to issue patches outside the normal monthly rollout cycle. In both 2008 and 2009, Microsoft released only two out-of-band security bulletins to fix critical vulnerabilities, yet Microsoft has already equaled that number in 2010.

"It's only March and for the second time this year, Microsoft has released an out-of-band patch to address critical vulnerabilities in Internet Explorer," noted Andrew Storms, director of security at nCircle. "Let's hope this isn't the start of a bad trend for Microsoft in 2010."

The reaction to this latest off-cycle hotfix was mixed among other security pros. Some suggested that enterprise users should rely on other browsers as a replacement or backup to IE. Others praised Microsoft's speediness and the fact that privately reported vulnerabilities seem to lead to quicker response times.

"IT functions are being held hostage by the Windows operating systems and associated Microsoft applications, such as the IE browser," said Amrit Williams, CTO of BigFix. "We must look for alternatives or implement controls that can isolate or segment aspects of the computing environment."

Williams pointed IT administrators toward browser alternatives, such as Mozilla's Firefox and Google's Chrome, as well as "alternative computing paradigms," such as desktop virtualization, which can sandbox difficult-to-manage and highly targeted applications.

Microsoft's off-cycle patching efforts were seen in a more positive light by hacker and exploit guru H.D. Moore of software security firm Rapid 7.

"Microsoft's shift from reactive updates to proactive patching is a much more profound shift than it appears," said Moore, who is Rapid 7's chief security officer. "Patching the other nine issues early confirms that Microsoft factors public exploits in their own prioritization, which is a natural next step from their Exploitability Index."

Moore added that getting ahead of the game on the exploit code from a previous security advisory gave Microsoft an "early release vehicle for the other nine issues." He added that Microsoft's response "sends a strong message that they acknowledge the connection between browser security and the research community."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.


  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

  • Microsoft Open License To End Next Year for Government and Education Groups

    Microsoft's "Open License program" will end on Jan. 1, 2022, and not just for commercial customers, but also for government, education and nonprofit organizations.

comments powered by Disqus