Microsoft has released a new patch for Internet Explorer. According to the Microsoft Security Advisory, the reason for the out-of-band release was that the vulnerability described in CVE-2010-0806, “Uninitilized Memory Corruption Vulnerability”, was being widely seen in the wild.

On March 10th the exploit was added to the MetaSploit Framework, and instructions on how to use the exploit immediately being spread on many hacker boards. It was first seen on the replacement for Milw0rm, XpltDB: Exploit-DB.com.

You can find some more info at Gary Warner’s blog (from where I got the news) or at Rec-Sec.com.

The Microsoft Bulletin is here:

ms10-018.

Some of the issues addressed include:

CVE-2010-0267 – Uninitialized Memory Corruption Vulnerability
CVE-2010-0488 – Post Encoding Information Disclosure Vulnerability
CVE-2010-0489 – Race Condition Memory Corruption Vulnerability
CVE-2010-0490 – Uninitialized Memory Corruption Vulnerability
CVE-2010-0491 – HTML Object Memory Corruption Vulnerability
CVE-2010-0492 – HTML Object Memory Corruption Vulnerability
CVE-2010-0494 – HTML Element Cross-Domain Vulnerability
CVE-2010-0805 – Memory Corruption Vulnerability
CVE-2010-0806 – Uninitialized Memory Corruption Vulnerability
CVE-2010-0807 – HTML Rendering Memory Corruption Vulnerability