Skip to Main Content

Microsoft's IE Patch Plugs Aurora Hole, Seven Others

A cumulative update for Internet Explorer from Microsoft fixes the infamous vulnerability in the browser used recently to attack Google and other major companies. Seven other IE vulnerabilities were also fixed.

By PCMag Staff
January 21, 2010
A cumulative update for Internet Explorer from Microsoft fixes the infamous vulnerability in the browser used recently to attack Google and other major companies. Seven other IE vulnerabilities were also fixed, as it appears that Microsoft may have had this update ready to go for February.

This episode began not two weeks ago when Google announced that they had been the target of significant attacks from sites in China seeking to steal intellectual property and compromise Gmail accounts of human rights activists. Google said it would and would, if need be, withdraw from China. Google was not alone in being attacked; Adobe and many other corporate and government sites were.

The attacks, which collectively have come to be known as "Aurora," were at first credited to a malicious Acrobat PDF file, then to the IE 0-day vulnerability fixed in this update. In fact, many different malware and vulnerability techniques were used; some were the IE 0-day and some malware experts claim that a PDF was indeed used in others.

The update code is available through all the usual channels: Windows Update, Microsoft Update, and Windows Software Update Services (WSUS).

The bulletin for the update lists the update as Critical for all platforms other than Internet Explorer 6 on Windows Server 2003. Four of the vulnerabilities, including the Aurora bug (designated CVE-2010-0249) are rated by Microsoft as likely to result in consistent exploit code, and of course Aurora is already being exploited.

Five of the other seven vulnerabilities have descriptions essentially identical to that of the Aurora bug, and all 6 have consecutive CVE numbers. This, combined with the Acknowledgements section of the advisory, indicates that once notified of Aurora, researchers found other related vulnerabilities and reported them to Microsoft. TippingPoint and the Zero Day Initiative are the big contributors this month.

The remaining two vulnerabilities are a cross-site scripting bug that could allow certain scripts to run in the wrong security context and a URL validation vulnerability that could allow remote code execution by way of a maliciously-crafted URL. On any other day this latter bug would be big news.

Originally posted to the PCMag.com security blog, Security Watch.