Microsoft patches critical drive-by IE9 bug, Windows zero-day

Fixes 16 flaws, picks up IE update tempo

Microsoft today patched 16 vulnerabilities, including one in Windows that's been exploited for weeks and two in Internet Explorer 9 (IE9) in the first-in-years back-to-back browser update.

Of Tuesday's nine security updates, three were rated "critical," Microsoft's most-severe threat ranking, while the others were pegged as "important," the next-most-serious label.

Among the products patched today were all versions of Windows; Office 2003, 2007 and 2010 on Windows; Office for Mac 2011; and IE9, Microsoft's newest browser that the company has touted as its most modern and most secure.

The three critical updates -- Microsoft dubs them bulletins -- were the ones tagged by Microsoft and independent security researchers as the first to apply.

As expected, Microsoft fixed a flaw in XML Core Services (MSXML) with MS12-043. The MSXML vulnerability has been actively exploited in targeted attacks against high-value victims, including those in aerospace and defense industries, for weeks. Microsoft acknowledged the attacks almost a month ago, but contrary to some experts' speculation, did not issue an emergency, or "out-of-band," update, instead waiting until the regular Patch Tuesday.

"Exploit code for this was published last week," said Jason Miller, manager of research and development at VMware, referring to attack code going public. "It's a zero-day, so it should be patched as soon as possible."

"It's being leveraged in the wild, so [MS12-043] has to be at the top of everyone's list," echoed Andrew Storms, director of security operations at nCircle Security.

Both Miller and Storms noted that Microsoft did not patch MSXML Core Services 5.0, a version bundled with Office 2003, Office 2007 and other Office-related products and components. "The security updates for Microsoft XML Core Services 5.0 are unavailable at this time," Microsoft said in the accompanying write-up.

"I'm guessing they ran out of time," said Miller of the omission of a patch for MSXML 5.0. "It's better to have something rather than have them wait [for the 3.0 fix] and give us nothing now."

Microsoft has said that all current attacks have exploited the vulnerability in MSXML Core Services 3.0, a version included with Windows.

"The exploit is already out there, so issuing [this partial patch] isn't going to create a detriment for anyone," said Storms. "The big question is 'When are we going to see the patch?'"

The company did not specify when the Core Services 5.0 fix would be released, or when it is finished, whether it would ship before next month's Patch Tuesday.

Both Windows 8 Consumer Preview and the newer Release Preview will also receive the MS12-043 update, Microsoft said.

Second on researchers' list was MS12-044, a two-patch update for IE9.

But what got Miller and Storm to pay attention wasn't so much the IE9 update but that it followed June's cumulative patch for Microsoft's browser.

Microsoft has long used an every-other-month tempo for IE update, shipping patches for its browser only on even-numbered months. Today, the company quit that habit.

"We have ... increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence," said Yunsun Wee, a director in Microsoft's Trustworthy Computing group, in a post to the Microsoft Security Response Center (MSRC) blog.

Storms praised Microsoft decision to ditch the bi-monthly updates. "IE is the most-used application in Windows, so it ought to be updated as soon and as often as possible," he said.

Miller agreed. "Bi-monthly is just too long between updates," Miller said. "I'd rather have it patched sooner than later."

Other browsers, notably Google's Chrome and to a lesser extent, Mozilla's Firefox, have been patched much more frequently than every-other month: Chrome often receives several security updates each month, while Firefox is regularly patched every six weeks.

While some researchers assumed that Microsoft has added staff to streamline its testing of IE updates -- and thus be able to turn around patches faster -- Storms did not. Instead, he saw the shift to possible monthly IE patching as simply a mechanism for getting out fixes as they're completed, rather than waiting for the next bi-monthly cycle.

Also on the top-three list of Microsoft, Miller and Storms is MS12-045, a one-patch critical update for Microsoft Data Access Components (MDAC), code that lets Windows access databases such as Microsoft's own SQL Server.

MDAC was last updated by Microsoft in August 2011.

"All three of the critical updates patch vulnerabilities that can be effectively exploited through the browser, including MS12-045," said Storms. Because such attacks do not require any user interaction -- other than to be suckered into surfing to a malicious site -- they're dubbed "drive-by attacks," and as such are considered the most dangerous to users and the most likely to be leveraged by attackers.

Microsoft also patched SharePoint, its enterprise-grade collaboration platform; Office for Mac 2011, the newest edition of that suite; Visual Basic for Applications; and other parts of Windows, including kernel mode drivers and the Windows Shell.

July's nine security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through WSUS.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies