Paul Thurrott's SuperSite for Windows
Home > Type > News > Microsoft Delivers IE Update, Patches Zero Day Flaw

Microsoft Delivers IE Update, Patches Zero Day Flaw

Mar. 30, 2010 Paul Thurrott | Paul Thurrott's Supersite for Windows

From Microsoft:

Microsoft issued out-of-band security update MS10-018 to address the vulnerability described in Microsoft Security Advisory 981374, affecting Internet Explorer 6 and Internet Explorer 7.  Internet Explorer 8 is unaffected by the vulnerability in Security Advisory 981374, and is not vulnerable to any of the current attacks. We have been monitoring this issue and have determined that an out-of-band release is needed to protect customers. Microsoft recommends that customers test and deploy this security update as soon as possible.

Because Security Bulletin MS10-018 is a cumulative update, it will also address nine other privately reported vulnerabilities in Internet Explorer that were planned for release on April 13. The update is rated "Critical" and applies to all currently supported versions of Internet Explorer including Internet Explorer 8, because three of the additional vulnerabilities impact Internet Explorer 8 on Windows 7.

The most severe vulnerabilities could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. However, customers whose accounts are configured with fewer user rights, such as not running in administrative mode on the system, may be less impacted than those who operate with administrative user rights.

Fire up Windows Update if you'd like to install this immediately. I had to click "Check for updates" to get it to appear.

Discuss this Article 17

Grannyville
on Mar 30, 2010
Thank you for the heads up, Paul. Installing the update as we speak.
Dr. Daniel Jackson
on Mar 30, 2010
This update is unnecessary, anyone stupid enough to use IE 6, deserves to be hacked and there computer destroyed, and never allowed to to touch any thing electronic ever, ever again. I am tired of leaving boring comments on this blog, I am going to start writing absurd and retarded things, like most everyone else here :)
Dipsh t Admin
on Mar 30, 2010
It is technically incorrect that this only affects IE6 and 7. It also affects 8. It just happens to be a cumulative update, and does patch a critical flaw. http://www.microsoft.com/technet/security/bulletin/MS10-018.mspx
anonymous
on Mar 30, 2010
This post was mentioned on Twitter by gretchenglas: Microsoft Delivers IE Update, Patches Zero Day Flaw: From Microsoft: Microsoft issued out-of-band security upd... http://bit.ly/cBgPsd
Waethorn
on Mar 30, 2010
WSUS will grab em for me and deploy them automatically. We have security updates applied to PC's automatically (not to the server though - that requires manual intervention). BTW: Good feed to follow: https://www.microsoft.com/security/portal/RSS/UpdatesRSS.aspx You can thank me for adding some detections too. I always send Microsoft new samples of the numerous variations of fake antivirus programs, and they always add them within a day or two. The process is pretty easy.
Waethorn
on Mar 30, 2010
"This update is unnecessary, anyone stupid enough to use IE 6, deserves to be hacked and there computer destroyed, and never allowed to to touch any thing electronic ever, ever again." You mean like Fortune 5000 companies that still maintain legacy intranet applications in a sandbox? Security is a two-edged sword. Yes, good security practices help to protect you from the nasty stuff, but there are often smarter ways to mitigate security issues rather than just ripping out the old and replacing with the new. BTW: Despite the fact that Microsoft is pushing out IE8 via Automatic Updates, there was a time when IE6 was the most secure version available, and the accepted norm. What is Microsoft's support policy on IE6? IHNI, but I suspect that support will end when support of XP ends, since IE6 was bundled with XP, and never replaced in any Service Pack (even though Service Packs are supposed to include security rollups).... So the next time someone says that XP is, and continues to be the best Windows version, you can laugh at them and call them a heretic for supporting incompatible web standards and security that is considered by todays standard as grossly inferior (considering that it was Windows Vista that actually fixed a lot of those issues). IMO, XP lovers = IE6 lovers. So, :-p PPFFFFT
Dr. Daniel Jackson
on Mar 30, 2010
"So the next time someone says that XP is, and continues to be the best Windows version, you can laugh at them and call them a heretic for supporting incompatible web standards and security that is considered by todays standard as grossly inferior (considering that it was Windows Vista that actually fixed a lot of those issues). " I agree completely, and clearly the sarcasm of my last post was lost on you. Again.
Waethorn
on Mar 30, 2010
"I agree completely" So you agree that Windows Vista had better security and better web standards support than XP. In essence, you could say it was a better operating system than Windows XP. Good to know. "clearly the sarcasm of my last post was lost on you" The only thing that I took seriously was this part: "anyone stupid enough to use IE 6, deserves to be hacked" The rest I ignored. I just don't understand the reasoning behind this. There are businesses that still use IE6, safely. Microsoft customers that take appropriate precautions and still get hacked, do so because their precautions aren't good enough - not because they use IE6. If their system is appropriately locked down in regards to inter/intranet use, they need to look at other vectors of attack besides just their web browser. FYI: There are many ways to mitigate security issues that affect compatibility, but app presentation virtualization from a centralized source is probably one of the easiest to deploy and to manage, even though licensing might cost more. At least by virtualizing apps on an individual basis, you don't have to worry about figuring out the cost of network bandwidth vs. local processing for everything else (tip: local processing is much cheaper).
Dr. Daniel Jackson
on Mar 30, 2010
I use Vista Enterprise at work, I was done with XP a long time ago when I started using 10.4 FYI: I'm done arguing with you, given I agree with you. I was just being a smart ass. TIP: STFU
DRWAM
on Mar 30, 2010
Waethorn is correct. Some of our enterprise third party software requires IE 6 [at the office], so updates are blocked. Fortunately, IE 8 works with all of our home apps. It's my browser of choice for Windows. I think only one of my 3 PC's has FF, but it is seldom used.
Dr. Daniel Jackson
on Mar 30, 2010
"It's my browser of choice for Windows" I've always been knee jerk anti-IE, I did a system restore back to Windows 7 one of my net-books, (I was checking out Moblin, it sucked), and I haven't put Firefox on it yet, and I am pleasantly surprised, at the speed and features of IE8, I added the simple ad block, Paul talked about a few weeks ago and I think I might try it out for a while, we'll see. @DRWAM Whats your choice on Snow?
Backup77
on Mar 30, 2010
Obviously Microsoft felt it could not wait until the regular monthly update roll up so its good they have released this out-of-band update to fix the IE exploit. Didn't have to manually check updates it installed automatically. Reboot required.
Waethorn
on Mar 30, 2010
I just tried Opera 10.51 yesterday. What a letdown! I go to VEVO.com to watch a few music videos, and as soon as I go to the artist page and scroll up or down a bit, the mouse scroll abruptly stops working, and none of the links work (the mouse cursor doesn't recognize them as links). The browser hasn't crashed completely, but the page is inoperable unless I reload it or go to a different tab. I dunno if there's a Flash element in there somewhere, but this is even before I get to a video playback page at all. I suspect a JavaScript incompatibility that causes the freeze up, and with all of their talk about JS perf and compatibility improvements, that's a big FAIL! ....back to IE8. @DJ: Moblin is neat for what it's designed to do, but it's dead too. It's merged with Maemo to become "MeeGo" (a stupid name...it should be called "MeeToo"). Problem is, that was announced over a month ago, and Moblin's been stagnant since long before that, and there's still no MeeGo downloads available. Moblin was once a netbook-targetted Linux-based OS and development platform to turn netbooks into more of an appliance computer. Now, MeeGo is designed to be another smartphone OS. Even Intel has admitted to that. MeeGo will likely be Intel's only avenue to get Atom processors into smartphones, but I doubt it will get there. The whole situation reminds me of a messaging program that an MSN team developed called threedegrees. Nice music sharing feature, but it didn't last cuz they killed the project before it ever got off the ground. BTW: Remember that it's better to be a smart ass than a dumb ass. And don't confuse the two.
rr0de74@live.com
on Mar 30, 2010
More detail here... http://news.cnet.com/8301-27080_3-20001428-245.html?tag=newsEditorsPicks... Hmm I wonder how many times I have heard the words "Microsoft issues emergency patch for IE" in the last 10 years? 100? 1000? 10000? At what point do all of lines of code written in patches equal more lines than the original? Sadly at work we are still on IE6, but the last major app that requires it gets updated in 2 weeks. IE8 gets pushed out to the clients a week later!!!!
Grannyville
on Mar 30, 2010
@ Dr Daniel Jackson If it interests you, my browser of chocie on Snow Leopard is Safari. I've used Google Chrome and Firefox on OS X and they work perfectly fine but I pick Safari over everyone else is because I prefer the UI on it and it does everything that I need it to do. I like Safari so much that I have it installed along with IE8 on my Windows computers and I tend to bounce between the two.
tayme
on Mar 31, 2010
@rr0de74 - "At what point do all of lines of code written in patches equal more lines than the original?" Probably never...since a majority of the patching replaces code and becomes part of the original and does not supplement it. The same could be said for OS X, I guess. The most recent patch was pretty huge - http://news.yahoo.com/s/zd/20100329/tc_zd/249626 ---> http://support.apple.com/kb/HT4077 We have finally moved to IE7 at work and still have some minor issues with some of our web apps handling tabbed browsing. No big issues, but just nuisances. At home, I do not use Windows at all anymore...at least until I rebuild my desktop PC. On our Macs, we use Firefix for the most part. I usually will give Safari a try after an update rolls out to see if it offers any improvements. It seems like Flash is getting more quirky on both browsers on the Macs. --tayme
Dr. Daniel Jackson
on Mar 31, 2010
@Grannyville Yeah I like the UI on safari too, its my main browser on 10.6, I have just always worried about security in safari, even mac guys say it kinda lax, I remember a Macworld article a while back just shredding it on security, or just ask Charlie Miller. @ Waethorn Moblin will be OK on a phone, as it has a more firmware feel, than an actual os feel, It was very fast on my 1.6 atom, but id rather have Windows 7 on my net-book, I was just curious to try it out. I am not much of a linux guy. I wouldn't mind having a atom based phone, but does anyone really care? I don't see the market clamoring for it. " Remember that it's better to be a smart ass than a dumb ass. And don't confuse the two." Unfortunately I have been both in large quantity's my whole life

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 20

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 33

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc