Microsoft Security Bulletin MS10-002 - Critical

Number: AL10-001
Date: 21 January 2010

Purpose

The purpose of this Alert is to make system owners aware that a critical patch has been issued by Microsoft outside of the normal monthly patch cycle, to address a recent publicly reported vulnerability in Internet Explorer that was used in targeted attacks on the Internet.

Assessment

A vulnerability exists in Internet Explorer browser whereby an invalid pointer reference within Internet Explorer may allow remote code execution. Under certain conditions, it is possible for the invalid pointer to be accessed after an object is deleted. In a specially crafted attack, in attempting to access a freed object, Internet Explorer can allow remote code execution.

Microsoft is reporting that they are aware of targeted attacks attempting to use this vulnerability. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. For both scenarios, an attacker would have to convince users to visit the website, typically by getting them to click a link in an e-mail message or in an Instant Messenger message that would then take the user to the website.

Systems are likely to be exploited if not patched quickly. A threat to unpatched systems is imminent.

The security update issued by Microsoft today is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8. The security update addresses these vulnerabilities by modifying the way that Internet Explorer handles objects in memory, validates input parameters, and filters HTML attributes.

Suggested action

CCIRC recommends that departments prioritize testing and deployment of this out-of-band patch as quickly as possible.

Reference

Microsoft Security Bulletin MS10-002
Cumulative Security Update for Internet Explorer (978207)
http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx   
  

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca