Microsoft Issues Patch Tuesday IE Warning

Microsoft issued a warning for Internet Explorer users as the company pushed out its monthly round of patches to cover security holes in Windows and Microsoft Office Excel.

In an advisory, the company warned that a new vulnerability was being targeted in attacks against Internet Explorer 6 and 7.  IE 8 is not believed to be affected. According to Microsoft, the vulnerability is due to an invalid pointer reference being used within IE and can be exploited by tricking users into visiting a malicious or compromised Web page.
“At this time, we are aware of targeted attacks attempting to use this vulnerability … Based on our investigation, setting the Internet zone security setting to High will protect users from the issue described in this advisory,” the company stated.

Besides changing the Internet zone settings, users can also modify the access control list on iepeers.dll. Instructions are contained within the advisory.

In addition to the advisory, Microsoft released two security bulletins on 9 March for Patch Tuesday. The bulletins fix eight vulnerabilities affecting Windows and Office. Both security bulletins are rated important—the company’s second-highest designation—and both were given an exploitability index rating of 1, meaning development of successful attack code relating to the vulnerabilities they fix is likely.

MS10-016 addresses a vulnerability in Windows Movie Maker and Microsoft Producer 2003 that could allow an attacker to remotely execute code if a victim opens a specially crafted Movie Maker or Producer file. Windows Live Movie Maker, which is available for Windows Vista and Windows 7, is not affected by this vulnerability.

The second bulletin, MS10-017, addresses seven vulnerabilities that impact all supported versions of Microsoft Office Excel. “MS10-017 should be addressed first on your network,” Jason Miller, data and security team leader at Shavlik Technologies, said in an e-mail. “Microsoft Excel attachments are as common as Meryl Streep nominations at the Oscars [and] opening a malicious Excel document could lead to remote code execution.”

It is important to note that MS10-016 affects Microsoft Producer 2003, he added, and that rather than provide a patch, Microsoft is suggesting administrators remove the affected component from their machines. “This is a great example of why administrators should take time each month and research the information associated with each bulletin,” Miller said. “Simply blindly pushing out patches does not necessarily make your network secure.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

View Comments

  • I think that covers it.

    It's a very light Patch Tuesday, but we've had a ton of press releases from security companies wanting to comment on it.

    Shavlik, Lumension and Symantec so far. Come on Sophos and Imperva, where are you?

    Peter Judge, UK Editor

Share
Published by
Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved
Tags: IE

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago