MS Issues Emergency IE Security Update

WrongSizeGlass writes "CNET is reporting that Microsoft has issued an emergency patch for 10 IE security holes. 'The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. ... Software affected by the cumulative update addressing all the IE vulnerabilities includes Windows 2000, Windows XP, Windows Server 2003 and Server 2008, Vista, and Windows 7.'"

Pwn2own strikes again

[sxedog]

Amazing... that was only a week ago!

Cnet link not really informative

[Bearhouse]

Ms link here:

http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx

No real sweat for IE8 on Win7...

Re:Cnet link not really informative

[natehoy]

Actually, it is.

This release also addresses CVE-2010-086, which is no sweat for IE8 on Win7, as you say. But note the term "also addresses". That's an important term.

One or more of the other nine vulnerabilities the fix is being released for is labeled as critical, and can cause remote code execution.

Specifically, CVE-2010-0490 (Uninitialized Memory Vulnerability) and CVE-2010-0492 (HTML Object Memory Corruption Vulnerability) are both listed specifically as "Critical - Remote Code Execution" for Windows 7 (both 32 and 64-bit) for Internet Explorer 8. CVE-2010-0494 (HTML Element Cross-Domain Vulnerability) is listed as "Important - Information Disclosure".

Re:Cnet link not really informative

[WrongSizeGlass]

Actually, IE 8 and Windows 7 are listed in that very link you posted.

Internet Explorer 8:
* Windows XP Service Pack 2 and Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
* Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
* Windows 7 for 32-bit Systems
* Windows 7 for x64-based Systems
* Windows Server 2008 R2 for x64-based Systems**
* Windows Server 2008 R2 for Itanium-based Systems

OS versus Browser

[sunderland56]

If this is an IE bug, why does it only affect some operating systems and not others?

If this is really an issue with the OS support used by IE, then wouldn't it affect Firefox etc?

Patch releases really need a "info for geeks" section.....

Re:OS versus Browser

[ivonic]

The way IE integrates with the OS varies between releases. In XP and earlier, items such as Windows Update and Windows help are running on IE. Since Vista, these have been control panel applets instead, giving malicious code exectued in IE no power over it.

Users using another browser wouldn't be able to execute code that affects these components, but if some malicious code successfully attacks an IE user, it could potentially attack other parts of the system where IE is integrated (and to which IE has some form of access), and then execute code to potentially gain 'control' of a system.

This "remote code execution" usually isn't a hack that a script kiddie could run to gain access to your files, but often it's enough for hackers just to be able to redirect your browser (to fake online banking sites) or even just cause your PC to visit a site. Thousands of compromised PCs visiting a website a thousand times a second each is your basic DDoS attack.

Re:Better links here:

[aztracker1]

Re-read the GP.. the content still gets rendered, even if you don't see it... Which means any exploits still get through.