Saturday, March 13, 2010

Microsoft Patch - For IE 7 or Earlier

If you are running IE 8 you are fine....better yet, don't use IE at all if you don't have to because of the security vulnerability....

Microsoft has revised their advisory for the newest IE 0Day vulnerability to note that working exploit code is now available and that they are aware of "targeted attacks attempting to use this vulnerability." They have also created "Microsoft Fix it" links to disable and re-enable the vulnerable software components.

The Fix it automates the registry changes to disable the "peer factory" class and works on Windows XP and Windows Server 2003. Internet Explorer 8 is not vulnerable on any platform, and attacks on IE7 on Windows Vista are limited by the browser running in Protected Mode, preventing the attacker from doing anything useful.

Microsoft says that they are in the testing stage for a patch for the vulnerability but won't say if they will go "out of band" on it. The next scheduled Patch Tuesday is April 13, over a month away, and I would be surprised to see them wait that long. I suggest that the update will be released on Tuesday, March 23, the 4th Tuesday and regular lesser Patch Tuesday of the month, when non-security updates are normally released.,

But it could come sooner or later. As Andrew Storms of nCircle recently noted on ThreatPost, the normal patch QA cycle for Microsoft is 54 days, but obviously they can rush things in extraordinary circumstances.

No comments:

Post a Comment