VERT Alert

March 30, 2010 2:25 PST

The nCircle VERT Alert is brought to you by nCircle VERT, nCircle’s research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses a single new Microsoft Security Bulletin released with an Out of Band update. nCircle VERT is actively working on coverage for this issue in order to meet our 24-hour SLA. VERT is expecting to ship ASPL-343 on Wednesday, March 31st.

MS10-018

This patch (which replaces MS10-002) addresses 10 vulnerabilities affecting Internet Explorer. All versions of IE (5.01 through to 8) are affected, although not all versions are affected by all vulnerabilities. The most important aspect of this bulletin is that it includes the patch for CVE-2010-0806, a flaw in iepeers.dll. This vulnerability in Internet Explorer 6 and 7, if exploited, would allow an attacker to execute arbitrary code on the target system at the permissions level of the current user. While Microsoft has stated that users of Internet Explorer 8 are not vulnerable, the availability of exploit code, along with public exploitation of the vulnerability, caused Microsoft to release this patch early.

As always VERT recommends that you apply the patch as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.