Microsoft Security Bulletin MS10-002 - Critical
Date: 21 January 2010
The purpose of this Alert is to make system owners aware that a critical patch has been issued by Microsoft outside of the normal monthly patch cycle, to address a recent publicly reported vulnerability in Internet Explorer that was used in targeted attacks on the Internet.
A vulnerability exists in Internet Explorer browser whereby an invalid pointer reference within Internet Explorer may allow remote code execution. Under certain conditions, it is possible for the invalid pointer to be accessed after an object is deleted. In a specially crafted attack, in attempting to access a freed object, Internet Explorer can allow remote code execution.
Microsoft is reporting that they are aware of targeted attacks attempting to use this vulnerability. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. For both scenarios, an attacker would have to convince users to visit the website, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that would then take the user to the website.
Systems are likely to be exploited if not patched quickly. A threat to unpatched systems is imminent.
The security update issued by Microsoft today is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.
CCIRC recommends that departments prioritize testing and deployment of this out-of-band patch as quickly as possible.
Microsoft Security Bulletin MS10-002
Cumulative Security Update for Internet Explorer (978207)
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118