Microsoft Plugs IE Drive-By Download Flaws

Microsoft today shipped a cumulative Internet Explorer update with patches for 10 security holes, including a drive-by download vulnerability that’s already being used in malware attacks.

The critical MS08-018 update patches security holes that could lead to code execution attacks on all versions of Microsoft’s flagship browser, including the newest Internet Explorer 8. 

From the bulletin:

The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The patch comes a full three weeks after the appearance of targeted drive-by download attacks that dropped a backdoor on a hijacked Windows computer.

The backdoor allowed an attacker to perform various functions on the compromised system, including uploading and downloading files, executing files, and terminating running processes.

This chart from the MSRC blog provides a simplified view of the ten vulnerabilities and their aggregate severity on Internet Explorer 6, 7, and 8:

* CVE-2010-0806 vulnerability under active attack.

Commenting on this Article is closed.