Microsoft releases Emergency Patch for Internet Explorer Zero Day Flaw; Neither Admits nor Denies Anything

January 21, 2010 - By Justin E. Gehrke

Today, Microsoft released Security Bulletin MS10-002, titled “Cumulative Security Update for Internet Explorer”. Though no specific acknowledgement or denial has been made on Microsoft’s part, investigation to date, by third party computer giant McAfee and independent researchers, has pinned blame for China’s alleged infiltration of Google’s network on this previously unmitigated (and apparently unknown) vulnerability. The bulletin’s Executive Summary states:

This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

Versions of Internet Explorer affected include: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. Affected Microsoft Operating Systems run the gamut from Windows 2000 SP4/Windows Server 2003 to the most current iterations Windows 7/Windows Server 2008. Microsoft operating system home users, with Automatic Updates configured, should have the patch installed automatically. For system and network administrators, the patch should be tested prior to actual deployment, since the newness of the patch prohibits stating with certainty that web-based applications, dependent upon Internet Explorer, will not be negatively affected.

In either case, this patch is a “must install” for all Microsoft users. Whether it was the Chinese Government or someone else trying to frame them, the vulnerability is a serious one that could ultimately be used to turn millions of Microsoft PCs into Botnet Zombies.

Source:

Microsoft Security Bulletin MS10-002 – http://www.microsoft.com/technet/security/bulletin/ms10-002.mspx

Justin E. Gehrke is the founder of Geek Shui Living. As a right and left-brained geek, he is available for consulting in the areas of Information Technology, Network Security, and creative web design and development. You can contact him via the Geek Shui Living Contact page. Alternatively, you can follow him, via twitter, and voraciously consume his technology news commentary and random geek ramblings: http://twitter.com/GeekShui

Post to Digg

Related posts:

  1. The Google vs. China Megamatch: The sordid details behind Aurora and Internet Explorer exploit.
  2. Patch Tuesday: A Review of the Must-Have Fixes from Microsoft, Adobe and Oracle
  3. McAfee’s Operation Aurora Pinpoints Internet Explorer Attack Vector
  4. Geek Shui Living’s Latest MWD Contribution – Is Google’s Change in Browser Support the Equivalent of a Virtual Hit on Internet Explorer 6?
  5. Microsoft officially releases Office 2010…on the worst possible day