Microsoft hustles, patches IE to ward off increasing attacks
Issues five-patch update that tackles critical bugs in IE6, IE7, IE8 and IE9
Computerworld - Microsoft today released an emergency patch for Internet Explorer (IE) to stymie active attacks that have been exploiting a bug in the browser, finishing a job it started only Monday.
"Let's call it five days from advisory to patch," said Andrew Storms, director of security operations at nCircle Security. "I'd like to see anybody pull that off."
The so-called "zero-day" vulnerability -- meaning it was leveraged by attackers before Microsoft was aware of the bug, much less able to patch it -- surfaced six days ago. Since then, Microsoft has published an advisory (on Monday), confirmed the vulnerability and issued a "Fixit," one of its automated configuration tools, to block the known exploits (Wednesday).
The Fixit relied on a tactic Microsoft first deployed in January 2011, when it used a "shim," or application compatibility workaround, to thwart then-circulating attacks against IE.
Then, as in the recent Fixit, Microsoft utilized the Application Compatibility Toolkit, included with Windows since XP, to modify the core library of IE -- a DLL, or Dynamic-Link library, named "Mshtml.dll," that contains the rendering engine -- in memory each time the browser ran.
Users who have already enabled the shim do not have to uninstall it -- or disable the Fixit -- when they patch today, Microsoft said.
Today's update was rated "critical" by Microsoft, the company's highest threat ranking.
Of the four non-zero-day vulnerabilities, three were limited to IE9, the edition that debuted in March 2011. The fourth impacted only IE7 and IE8. All five vulnerabilities patched by MS12-063 today, including the zero-day, were tagged as critical.
Security experts said that Microsoft had this update -- sans the patch for the zero-day -- already ready, and failing the hustle to fix the exploited vulnerability, it would have been amongst those delivered next Patch Tuesday, Oct. 9.
"What we're seeing is next month's patch," said Storms. "Given that the four others were all responsibly disclosed, they don't present that much of a threat." Storms also called the other patched bugs "par for the course" for IE.
MS12-063 applies to all supported editions of Windows -- XP, Vista and Windows 7 -- and affects IE6, IE7, IE8 and IE9. Only IE10, the browser bundled with Windows 8, is immune.
Friday's "out-of-band" -- security-speak for an emergency update outside the usual monthly Patch Tuesday schedule -- will be the first that Microsoft has released this year and only the second since September 2010. It was also the first emergency patch of an IE zero-day vulnerability since January 2010, when Microsoft fixed a flaw exploited by the "Aurora" Trojan horse.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts