Yesterday was 'patch Tuesday' meaning that millions of PCs running Windows Update are slavishly downloading the latest patches from Microsoft. The explanation of "cumulative security update for Internet Explorer", just one of this month's patches, indicates that unpatched PCs accessing 'malicious Web pages' could be completely compromised by bugs in IE's handling of DHTML and URLs, potentially giving an attacker 'complete control of an affected system' through 'remote code execution'. In case you missed it, this important snippet of information is buried under the (normally unexpanded) vulnerability details section of the detailed bulletin accessible from the information page about the fix included in the latest set of patches ... how many of us bother to follow the trail through three web pages? What's more, today's Handler's Diary at SANS Internet Storm Center (which we blogged yesterday) reports that "A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.", a point which Microsoft neglected to mention explicitly. (FrSIRT notice here)
Watch out for a forthcoming NoticeBored security awareness module on 'security in information systems development' which will mention the patching treadmill as a contingency measure following the release of buggy software.
More Internet security resources