IE zero-day vulnerability not part of light Patch Tuesday

Absent from the spread this Patch Tuesday is the recently disclosed IE zero-day vulnerability
Absent from the spread this Patch Tuesday is the recently disclosed IE zero-day vulnerability

Microsoft said the vulnerabilities that will be shipped on Patch Tuesday cover Microsoft Office and the Microsoft Forefront Unified Access Gateway. One of the bulletins addresses a critical security flaw affecting all versions of Microsoft Office, with the other two bulletins rated as important. All three Patch Tuesday bulletins may require a restart.

Commenting on Patch Tuesday, Wolfgang Kandek, chief technology officer at Qualys, noted that a critical rating on an Office program is “fairly rare”.

“Most vulnerabilities on the Office suite are categorized as ‘important’ because they typically require user interaction to get a successful exploitation. ‘Critical’ here indicates a vulnerability that can be used to take control of the target machine without user interaction, such as MS10-064, where visualizing an e-mail in Outlook’s preview pane was sufficient to trigger the flaw.”

Paul Henry, security and forensic analyst at Lumension, expressed concern about the lack of an IE zero-day vulnerability patch in the Patch Tuesday fixes.

“There continues to be no mention of the IE vulnerability that was found in the wild being used in ‘drive-by’ hacks that allow an attacker to perform a remote code execution, installing malware on the visiting user's system. It affects IE versions 6, 7, and 8, while users of IE 9 beta are safe. So far, Microsoft has published a workaround, but they are not expected to release an out-of-band patch, so it might be more than a month before we'll see a patch for this one. It is interesting to note that Microsoft doesn't believe it represents a significant threat, despite reports that it has been seen in the wild.”

This lack of attention to the IE zero-day vulnerability could come back to bite Microsoft. Robert Thompson, chief research officer at AVG Technologies, said that an exploit for the IE zero-day flaw had been added to the Eleonore attack kit used by criminals to hack into computers that visit compromised websites.

Thompson said that this new attack vector “raises the stakes considerably as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day. What this means to Microsoft is that they should consider issuing an out-of-band patch.”

Those wishing to follow up with questions about the Tuesday Patch announcement can join a Microsoft webcast with Microsoft’s Dustin Childs and Jerry Bryant on Wednesday.

What’s Hot on Infosecurity Magazine?