Another Internet Explorer Flaw

In addition to the patches it released earlier today, Microsoft has confirmed that it is investigating another security vulnerability in its Internet Explorer Web browser.  The flaw is potentially a serious one, since under certain conditions it could allow an attacker to execute arbitrary code remotely:

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

According to Microsoft, the vulnerability does not affect Internet Explorer, version 8 (the latest version), but it does affect the earlier versions 6 and 7, on all supported Windows versions except Windows 7 (which ships with Intenet Explorer 8).

Microsoft says it is only aware of “targeted” attacks (ones focused on a specific organization or individual) against this vulnerability at present, but it is fairly common for attacks to become steadily more widespread, as more of the Bad Guys learn how to work the exploit.

There is no fix available at present; the Security Advisory contains some suggested mitigation steps.  If you are using Internet Explorer, you should upgrade to version 8 if you have not already done so, or consider switching to a more secure browser, such as Firefox or Opera.

Update, Thursday, 11 March, 15:30 EST

The German online magazine Heise is reporting (in German) that an exploit for this vulnerability has been published on the Internet, in the form of a module for the Metasploit framework.   So far as I am able to tell, there is no patch available yet.

Microsoft Security Patches, March 2010

As expected, Microsoft today released two security fixes, MS10-016 and MS10-017, that address eight different security vulnerabilities.  The fixes, which are described in the Microsoft Security Bulletin Summary, affect Windows XP, Windows Vista, and Windows 7, as well as a number of Microsoft Office components.  Mac users should note that MS Office for the Mac is also affected.

These fixes are rated as Important by Microsoft, and should be available via Windows Update.  Alternatively, there are download links in the Security Bulletin Summary.  As usual, the good folks at the SANS Internet Storm Center have published their summary and assessment of this month’s patches.  They have rated one of the patches, MS10-017, as Critical for desktop machines.

So far, I have seen no reports of problems with these patches.  I recommend you install them as soon as you conveniently can.