Qualys Blog

www.qualys.com
wkandek

IE 0-day Patched Out-Of-band

Microsoft released today the patch for the critical Internet Explorer 0-day flaw that has been widely covered by us and the security community in general. MS10-002 fixes a total of 8 vulnerabilities, including the 0-day which is identified as CVE-2010-0249 and is attributed to Meron Sellem from BugSec.

In the MSRC blog post announcing the release, Microsoft gives some insight on how they were able to turn around this patch in record time. Meron had reported the vulnerability in late August of 2009 and Microsoft had it confirmed in early September. By the time of public disclosure of the attacks against Google and others, the fix was in essence ready and tested. It was slated for release in the February Patch bulletin. Microsoft had to decide whether an out-of-band release of the patch was warranted or whether to bundle it into the February release as originally planned. An out-of-band release causes additional work for IT administrators that are tasked with addressing operating system vulnerabilities and are have been feeling the strain of keeping updated the growing number of software packages that attackers are increasingly targeting.

Nevertheless, given that exploits are available and that security researchers have shown that DEP as a defense can be circumvented, we recommend applying this update as soon as possible.

Leave a Reply