Microsoft announced today that security bulletin MS10-002 will be released on Thursday--almost three weeks ahead of the next regularly-scheduled Patch Tuesday update. MS10-002 has a cumulative risk rating of Critical and it is being released out-of-band to address the zero-day exploit at the heart of the China attacks on Google, which is now circulating in-the-wild.
Jerry Bryant, senior security program manager for Microsoft, said "Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing MS10-002 tomorrow, January 21, 2010. We are planning to release the update as close to 10:00 a.m. PST as possible."
Bryant described the update "This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released."
While the initial attacks attributed to the Internet Explorer zero-day exploit were precision attacks against specific targets, the fact that the exploit code is now available in-the-wild could lead to copycat attacks being launched against the general public. Microsoft cautioned that there are no widespread attacks as of yet, and noted that the only successful attacks to date have been against Internet Explorer 6.
Richie Lai, director of vulnerability research for Qualys concurs. "The attack was focused on the browser/OS combination IE6 and Windows XP, both close to 10 years old and near end of life. Microsoft has put a lot of work into increasing attack mitigation and surface hardening that reduces the risk of successful exploitation on newer versions of the Windows Operating System (Vista, Windows 2008, Windows 7)."
Lai agrees with the sentiment expressed by other security professionals--that the Internet Explorer flaw in and of itself is nothing new, but that the application of the exploit in a sophisticated attack with specific targets or goals intended represents a shift in attack methodology that companies around the world should take note of.
"The IE zero-day that was released last week isn't something that is new or unique. Every couple of months a new vulnerability comes out for the major browsers. In the past, most of the vulnerabilities reported have been technical details of the bug. In this case, the discussion you see revolves around the usage of the vulnerability and less about the bug itself," said Lai.
Lai continued "What is new is that the affected organizations are coming forward with it and we think this is a positive trend that we hope will continue. As of now, the attack is limited to very directed attacks and we have not seen widespread use of the exploit in the wild."
"We do see that changing in the coming days since details of the vulnerability have been made publicly available," Lai cautioned. " In general users should upgrade to a modern OS/Browser combination, at minimum the browser should be updated to IE8 or another modern browser."
Microsoft will host a public webcast on Thursday, January 21 at 1:00pm Pacific time to present information related to security bulletin MS10-002 and answer questions about the threat and the patch. You can register to attend the webcast by clicking here.