Bulletin MS10-002 Released


Today we released Security Bulletin MS10-002 out-of-band to address vulnerabilities in Internet Explorer. All customers using currently supported versions of Windows and Internet Explorer should apply this update as soon as possible. Once applied, customers are protected against the known attacks that have been widely publicized. For customers using automatic updates, this update will automatically be applied once it is released.

I also wanted to clarify some information that we included in our update to Security Advisory 979352 yesterday. We let customers know that there are other applications that may use mshtml.dll as a rendering engine and if those applications allow active scripting, they can be used as an attack vector. Customers who install today’s update are NOT vulnerable and are protected from all known attack vectors. These applications are NOT vulnerable and no security updates are needed for them. Installing today’s Internet Explorer update addresses the vulnerability across all applications.

As we noted in our blog post yesterday, this Internet Explorer security update was already planned for release in February. When the attack discussed in Security Advisory 979352 was first brought to our attention on Jan 11, we quickly released an advisory for customers three days later. As part of that investigation, we also determined that the vulnerability was the same as a vulnerability responsibly reported to us and confirmed in early September.

For a detailed review of today’s bulletin, please join Adrian Stone and I today for a live webcast where we will try to answer your questions in real time. Registration information:

Date: Thursday Jan 21
Time: 1:00 p.m. PST (UTC -8)
Registration: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032440627

Hope to see you there!

Jerry Bryant


*This posting is provided "AS IS" with no warranties, and confers no rights.*