Unscheduled patch release from Microsoft? Pay attention

Microsoft's out-of-band security update offers 10 patches for various flavors of Internet Explorer, industry watchers warn IT managers to understand them all.

It’s good and bad that Microsoft releases out-of-band patches. It’s good the company is being proactive to help equip customers against threats, but it’s bad the vulnerabilities pose such a potential risk that immediate action is a must.

Microsoft out-of-band patch demands immediate attention

Microsoft Tuesday released an out-of-band, cumulative security update, MS10-018, that includes one patch that addresses Microsoft Security Advisory 981374, which affects Internet Explorer 6 and Internet Explorer 7. The company also released nine other patches in the cumulative update that impact nine vulnerabilities that are not publicly known at this time.According to security industry watchers, the company acted fast due to a serious threat to customer systems. And that means IT managers also need to act quickly.“The catalyst for this out-of-band update is definitely increased activity around the iepeers.dll zero-day vulnerability,” said Joshua Talbot, security intelligence manager at Symantec Security Response, in a statement. “Symantec has also observed a recent spike in attempted infections via this security hole. The typical attempted infection process seems to involve compromising a legitimate Web site then inserting an iframe which redirects users to a malicious site.” Symantec's Talbot also warned that while the known exploit is said to impact IE 6 and IE 7, IT managers shouldn't underestimate the potential of the nine other vulnerabilities addressed in the security update.“Though none of the other issues have exploit code publicly available, I think many of them will also be trivially exploitable under certain circumstances,” added Talbot. “For example, users running Internet Explorer 6 and older and those using Windows XP are at the greatest risk. Keep in mind, though, that Internet Explorer 7 and 8 users are also at risk.”Talbot concluded, “To make a long story short, this is a critical bulletin that needs to be applied sooner rather than later.”Posted by Denise DubieDo you Tweet? Follow Denise Dubie on Twitter here.

Like this post? Check out these others.

Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.) All Microsoft Subnet bloggers on Twitter


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in