Qualys Blog

www.qualys.com
wkandek

Critical IE update MS10-018 released

Today Microsoft released MS10-018, a critical bulletin with 10 patches affecting all versions of Internet Explorer. The release includes the patch for the one of the current 0-day exploits against IE6 and IE7, the "iepeers" (KB981374 and CVE-2010-0806) vulnerability. The original schedule for the bulletin was April 13th, during the normal April Patch Tuesday, but it was anticipated because Microsoft has detected an increase in exploits for that 0-day vulnerability..

All users of Internet Explorer 6 and 7 should patch immediately, as the exploit for these versions in known and becoming more popular.

Users of Internet Explorer 8 are not affected by the exploit, but the bulletin contains 2 critical vulnerabilities for this version, so we can expect exploit code for them soon. IT Admins will have to decide whether they can take the risk of patching IE8 only during next patch Tuesday – 2 weeks out, or whether to patch sooner and incur the cost of having 2 separate patch days.

The other open 0-day, the F1 flaw in IE has not been fixed yet, and last week’s PWN2OWN IE8 flaw is still under investigation by the security team at Microsoft, so we will continue to see updates in the browser area.

Leave a Reply