January 21st, 2010, 19:59 PM
Microsoft fixes 8 IE holes, including one used in attacks
Microsoft on Thursday issued a cumulative critical patch for Internet Explorer that fixes eight vulnerabilities, including a hole targeted in the China-based attacks on Google and other U.S. companies.
The security update is rated critical for all supported releases of IE 5, 6, 7, and 8, according to the advisory. The more severe vulnerabilities could allow remote code execution if a user views a malicious Web page using IE, it said.
This IE security update was already planned for release on the next scheduled Patch Tuesday (February 9), Jerry Bryant, senior security program manager at Microsoft, said in a blog post.
Microsoft has known about the hole for at least four months, after it was privately disclosed it to the company, Bryant said.
"When the attack discussed in Security Advisory 979352 was first brought to our attention on January 11, we quickly released an advisory for customers two days later," he wrote. "As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September."
Installing the IE update addresses the vulnerability across all applications, even those using the same dynamic link library and which allow active scripting--which were discovered to be possible attack vectors, he said.
Full story: c|net