Microsoft is rushing out a pair of emergency security updates on Tuesday in a move to lock down exploits in Internet Explorer and Visual Studio.
While it warned about the upcoming, out-of-band patches on Friday, Microsoft (NASDAQ: MSFT) has not yet provided detailed guidance on the specifics of what the vulnerabilities involve, though it is providing a few clues.
“While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications,” Mike Reavey, director of the Microsoft Security Response Center said in a blog post. “The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin.”
Reavey also noted that the Microsoft IE security bulletin will go beyond the issues that jointly affect IE and Visual Studio.
“The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported,” he added.
It’s unclear whether one of those vulnerabilities is related to a security presentation scheduled for Wednesday afternoon at the Black Hat Las Vegas security conference.
Security researchers Mark Dowd, Ryan Smith, David Dewey will be demoing a new tool to show how IE deals with killbits, a technique that Microsoft routinely uses with its ActiveX technology to constrain and limit certain actions that could be considered insecure.
The security researchers, who call themselves Hustle Labs, have posted a public demo of what they intend to talk about at Black Hat — a way to detect when ActiveX killbits are in use in the browser, and how a hacker might bypass their limitations.
A Microsoft spokesperson was not immediately available on the impact of the Hustle Labs presentation.
Tuesday’s out-of-band updates come weeks ahead of the company’s next scheduled Patch Tuesday update — slated for Aug. 11 — and follow Microsoft’s July Patch Tuesday, in which the company addressed a pair of zero-day vulnerabilities.
Microsoft’s disclosure that it is about to release a pair of emergency updates also come as the company is claiming success in becoming open with the security community — developments that continue the software giant’s efforts to improve security visibility.
A year ago, Microsoft rolled out its Microsoft Exploitability Index and the Microsoft Active Protections Program (MAPP) as efforts to provide new details on security vulnerabilities in its products.
The Exploitability Index assigns a score to each security issue that indicates its potential for abuse by hackers or malware authors. The effort identifies highly exploitable vulnerabilities for which Microsoft believes that consistently working exploit code is likely to be released within 30 days of Microsoft’s own patch being made available.
The MAPP program complements the Exploitability Index by providing Microsoft partners with details of vulnerabilities before the official patches are released.
According to Microsoft, from October 2008 to June of 2009, the company issued 140 Exploitability Index ratings, of which 99 percent were accurate.