There is a vulnerability in Internet Explorer that Microsoft will patch tomorrow. Normally Microsoft releases patches on the second Tuesday of each month, but in the case Microsoft is making the patch available much sooner. The most probable reason for the “out of band” patch is that this vulnerability received a ton of attention as it was implicated in a Google security story that had to do with Google’s decision to stop filtering in China the way the Chinese government wants them to. That story was enough to bring considerable attention to the vulnerability which in turn probably contributed to exploit code being made public.
What does this mean to you? It means you need to make sure your computer is patched tomorrow. Most home users will be updated automatically. Some people disable automatic updates and should make a point to apply the patch. The issue is serious enough that ZERT, the Zero Day Emergency Response team was considering a patch, however Microsoft is acting quickly enough that there doesn’t seem to be a need for a third party patch.
The worst impact of the vulnerability is probably going to be in the business sector where conficker taught us that many of the pros are still failing miserably at patch management. It will not be long before exploit code will be added to popular packages that are used to deface web pages. You can plan on seeing fake Valentine’s Day eCards that will attempt to exploit this and many other vulnerabilities. Results for popular searches, such as Haiti or whatever else is in the news will yield some web pages that will attempt to exploit the vulnerability as well.
You can read all about the vulnerability at http://www.microsoft.com/technet/security/bulletin/ms10-jan.mspx, but the important thing is to update when the patch is available. Even if you don’t use Internet Explorer, your operating system does and it makes sense to have it as patched as possible.
Director of Technical Education
Author ESET Research, ESET