Apple Fixes Several Bugs

Releasing one of its biggest Mac OS X security updates, Apple fixes 88 vulnerabilities with Security Update 2010-002/Mac OS X v10.6.3. The update addresses critical issues that can lead to arbitrary code execution, information disclosure, and denial-of-service (DoS) attacks.

One of the critical fixes included is the solution for the AppKit issue, which can lead to an unexpected application termination or arbitrary code execution when spell-checking maliciously crafted documents. The update likewise includes fixes for several critical ImageIO and QuickTime bugs.  Mac OS X users are thus advised to immediately download and install the security update.

Microsoft Releases an Out-of-Band Patch

Microsoft, for its part, recognizes the immediate need to provide a solution for CVE-2010-0806 and has announced the impending release of an out-of-band patch via Security Bulletin MS10-018. The said release will primarily solve issues surrounding the zero-day Internet Explorer (IE) vulnerability affecting IE 6 and 7.

Since it first became public, cybercriminals have exploited the zero-day vulnerability. These exploits have led to malware detections, including several malicious JavaScript files (JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_ COSMU.A, and JS_SHELLCODE.YY). The final payload of which are TSPY_GAMETI.WOW and TROJ_GAMETHI.FNZ, which both lead to game-related information theft.

The advance notification also stated that the out-of-band patch will be a cumulative update for IE. Apart from the critical zero-day patch, the update will likewise address nine other vulnerabilities, some of which also affect IE 8.

The patch is slated for release on March 30, 2010 at approximately 10:00 a.m. PDT (UTC-8). The primary workaround for CVE-2010-0806 is to upgrade to IE 8, which remains unaffected by this particular zero-day vulnerability. However, the best practice is still applying the out-of-band patch as soon as it is released.

Trend Micro Solutions for Windows and Mac Users

Trend Micro Deep Security™ and OfficeScan™ continue to protect business users from the this particular IE zero-day exploit via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.

Trend Micro™ Smart Protection Network™ likewise protects product users from this threat by preventing users from accessing sites hosting JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_SHELLCODE.YY, and JS_COSMU.A. It also prevents the download and execution of malicious files such TROJ_INJECT.JDT, TROJ_SASFIS.VR, TROJ_DLOADR.VR, TSPY_GAMETI.WOW, TROJ_DROPPR.FNZ, and TROJ_GAMETHI.FNZ via the file reputation service.

Update as of March 31, 2010, 11:30 a.m. (GMT +8:00):

Microsoft released a security update that resolves nine reported vulnerabilities and one unreported vulnerability in IE. The update also addresses the CVE-2010-0806 vulnerability. Affected users are advised to download the updates from this security bulletin.