Microsoft releases cumulative out-of-band update for Internet Explorer

Microsoft said on Tuesday that it has released a new out-of-band cumulative update for Internet Explorer 6 and 7 users.

The update (MS10-018) fixes 10 flaws, with the most serious allowing remote attackers to execute arbitrary code. Microsoft said it accelerated testing of this update due to the growing attacks against a publicly disclosed vulnerability. Nine other flaws were disclosed privately to Microsoft by security researchers. The public vulnerability was rated "extremely critical" by security researchers Secunia. The out-of-band patch is the second time this year that Microsoft has broken the monthly "Patch Tuesday" cycle that the software giant typically uses to release security updates.

In January this year Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. Both the French and German governments warned their populations to cease using Internet Explorer due to an earlier un-patched flaw discovered in targeted attacks earlier this year. Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property.

Microsoft stressed that the public flaw that this current out-of-band patch addresses, does not affect Internet Explorer 8. Other flaws in the cumulative update do affect Internet Explorer 8 on Windows 7 so users will still be prompted to update to the latest patch. Jerry Bryant, Group Manager of Response Communications at Microsoft, explained that the company is also investigating a potential flaw in Internet Explorer 8 discovered at last weeks "pwn2own" hacking competition. "We are still investigating that issue at this time so we do not have an update available," said Bryant. Pwn2own saw Internet Explorer 8, Firefox and Safari all fall victim to previously undisclosed vulnerabilites. Google's Chrome browser escaped untested.

Updated: Articled edited to reflect that the public vulnerability does not affect IE8 but that other flaws in this combined update do.

Report a problem with article
Previous Story

Apple sued over multi-touch patents

Next Story

Apple releases iTunes 9.1

18 Comments

Commenting is disabled on this article.

Lepton said,
How hard is it to read a bulletin before rushing to publish this article?

Say what?!? This was published 26+ hours ago. It's an out-of-cycle patch and *should* be news.

This is up for 2000, XP, 2003, 2003 x64 (R1 & R2), 2008 (R1 & R2), Vista and 7.

The 2003 R2 x64 version is 38.7 MB! The 2000 version is only 4MB.
Looks like they re-released IE8 for Server 2003

paulhaskew said,
hmm, no credit for back page news posting eh?

No, although you posted in BPN at 18:00 this story was written at 16:00 and queued for release later as a minor story.

I'm in favor of quick patch cycles - release the damn update when it is ready, don't sit on it until the next patch cycle so you can stick to a stupid schedule.

Relativity_17 said,
I'm in favor of quick patch cycles - release the damn update when it is ready, don't sit on it until the next patch cycle so you can stick to a stupid schedule.

ALOT of business depend on this cycle as it costs a lot of time and money to release these patches to 10000+ Servers and 40000+ workstations. And do one every few days would be enormously expensive.

Regardz

Benjo85au said,

ALOT of business depend on this cycle as it costs a lot of time and money to release these patches to 10000+ Servers and 40000+ workstations. And do one every few days would be enormously expensive.

Regardz


Businesses already manage their update schedules independently of Microsoft, and are welcome to continue doing so. If you want to update your managed images with cumulative patches every 30 days, go right ahead, but why keep the rest of us waiting?

Relativity_17 said,

Businesses already manage their update schedules independently of Microsoft, and are welcome to continue doing so. If you want to update your managed images with cumulative patches every 30 days, go right ahead, but why keep the rest of us waiting?
They need to know when to expect patches in order to keep a good schedule. Bundling fixes together reduces bandwidth usage, and lowers the number of restarts and interruptions for users.

When a bug really is critical and needs to go out quickly, they do this. It happens infrequently.

Besides, 30 days isn't that long.

Edited by Kirkburn, Mar 31 2010, 12:16am :

Kirkburn said,
They need to know when to expect patches in order to keep a good schedule. Bundling fixes together reduces bandwidth usage, and lowers the number of restarts and interruptions for users.

They only need to know when to expect patches when many patches are released on an infrequent basis. If patches are released upon being declared ready, then businesses can still adhere to Patch Tuesday if they want. By changing the release model to a more real-time strategy, we don't actually affect businesses. What we're getting right now is "all patches readied within the last 30 days", and what they can continue installing is "all patches readied within the last 30 days". The only difference will be that people on non-managed systems have the choice of installing sooner.

As far as the restart issue goes, that is a shortcoming both of Windows and of whoever is writing these patches. I had to restart my computer after installing the last batch of Office patches. Absolutely absurd.

Kirkburn said,
Besides, 30 days isn't that long.

30 days is forever, especially if an exploit can be made transmissible between computers.

Same here... I thought it was a little odd because the news bit about this before said "older versions" so I was pretty surprised to see it.

prime2515102 said,
And IE8 is listed for all OS's on that page. Why would MS "stress" that it doesn't effect it? geez...
MS stressed it wasn't affected by the specific issue that was announced. There are 9 other fixes being put out at the same time (which are not public).