Microsoft Knew of IE Zero-Day Flaw Since September

Author: Ryan Naraine
minute read

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.
The IE update applies to all versions of the browser on all Windows OS versions and patches at least eight documented vulnerabilities that could lead to remote code execution attacks.

The patches are included in the critical MS10-002 bulletin.

The vulnerability used in the attacks (CVE-2010-0249) was privately reported to Microsoft last August by Meron Sellen, a white-hat hacker at BugSec, an Israeli security research company. Microsoft program manager Jerry Bryant said the company confirmed the severity of the flaw in September and planned to ship a fix in a cumulative IE update next month.

The vulnerability is described as a remote code execution issue in the way that Internet Explorer accesses an object that has not been correctly initialized or has been deleted.

  • An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Even if you don’t user Internet Explorer for regular Web browser, it’s important for Windows users to apply this update immediately.  That’s because the vulnerability can be exploited by including an ActiveX control in a Microsoft Access, Word, Excel, or PowerPoint file.

“Customers would have to open a malicious file to be at risk of exploitation,” Microsoft’s Bryant said, urging users to disable ActiveX controls in Microsoft Office.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.