Microsoft issued a warning for Internet Explorer users as the company pushed out its monthly round of patches to cover security holes in Windows and Microsoft Office Excel.
In an advisory, the company warned that a new vulnerability was being targeted in attacks against Internet Explorer 6 and 7. IE 8 is not believed to be affected. According to Microsoft, the vulnerability is due to an invalid pointer reference being used within IE and can be exploited by tricking users into visiting a malicious or compromised Web page.
“At this time, we are aware of targeted attacks attempting to use this vulnerability … Based on our investigation, setting the Internet zone security setting to High will protect users from the issue described in this advisory,” the company stated.
Besides changing the Internet zone settings, users can also modify the access control list on iepeers.dll. Instructions are contained within the advisory.
In addition to the advisory, Microsoft released two security bulletins on 9 March for Patch Tuesday. The bulletins fix eight vulnerabilities affecting Windows and Office. Both security bulletins are rated important—the company’s second-highest designation—and both were given an exploitability index rating of 1, meaning development of successful attack code relating to the vulnerabilities they fix is likely.
MS10-016 addresses a vulnerability in Windows Movie Maker and Microsoft Producer 2003 that could allow an attacker to remotely execute code if a victim opens a specially crafted Movie Maker or Producer file. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability.
The second bulletin, MS10-017, addresses seven vulnerabilities that impact all supported versions of Microsoft Office Excel. “MS10-017 should be addressed first on your network,” Jason Miller, data and security team leader at Shavlik Technologies, said in an e-mail. “Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars [and] opening a malicious Excel document could lead to remote code execution.”
It is important to note that MS10-016 affects Microsoft Producer 2003, he added, and that rather than provide a patch, Microsoft is suggesting administrators remove the affected component from their machines. “This is a great example of why administrators should take time each month and research the information associated with each bulletin,” Miller said. “Simply blindly pushing out patches does not necessarily make your network secure.”
Italy, White House issue joint statement condemning 'discriminatory' tech taxes as US seeks to end…
Italian newspaper Il Foglio says four-page AI-generated supplement published every day for a month shows…
Huawei launches Titanium edition of Eyewear 2 smart glasses with gesture controls and AI-powered simultaneous…
Gerald Yin, founder, chairman and chief executive of key Chinese chip tools maker AMEC, drops…
Intel reportedly tells clients in China some of its AI chips will now require export…
New Intel chief executive Lip-Bu Tan flattens company's leadership structure as he seeks to end…
View Comments
I think that covers it.
It's a very light Patch Tuesday, but we've had a ton of press releases from security companies wanting to comment on it.
Shavlik, Lumension and Symantec so far. Come on Sophos and Imperva, where are you?
Peter Judge, UK Editor