By Kevin McLaughlin, ChannelWeb Microsoft on Tuesday (today) will issue its second out-of-band security patch of the year to deal with a zero day vulnerability affecting Internet Explorer 6 and Internet Explorer 7 that’s been used in targeted attacks for the past several weeks.Security update MS10-018 will patch the IE 6 and IE 7 vulnerability, which is caused by an invalid pointer reference within IE that can be accessed after an object is deleted, paving the way for hackers to carry out remote code execution attacks.
Update MS10-018 also fixes nine additional vulnerabilities, some of which affect IE 8, Microsoft said in a Monday blog post. Microsoft says these nine flaws “were responsibly disclosed” and that it isn’t aware of any active attacks that are targeting them.
Microsoft first warned users of the zero day on March 9 and said at the time that its impact was limited to “targeted” attacks. But the subsequent appearance of exploit code forced Microsoft’s hand and necessitated the out-of-band patch.
In one attack outlined by McAfee Labs, unsuspecting Web surfers that visited the domain topix21century.com were served up a drive-by download of a Trojan named notes.exe, which would them create two copies of itself in the Windows temp directory and generate a .DLL file that, when injected into IE, would give attackers remote access.
Out-of-band patches are rare, but Microsoft in January released one to deal with a major IE vulnerability that was used by hackers in China in attacks against Google (NSDQ:GOOG) and more than 30 other Silicon Valley firms.