Microsoft hustles, patches IE to ward off increasing attacks
Issues five-patch update that tackles critical bugs in IE6, IE7, IE8 and IE9
Computerworld - Microsoft today released an emergency patch for Internet Explorer (IE) to stymie active attacks that have been exploiting a bug in the browser, finishing a job it started only Monday.
"Let's call it five days from advisory to patch," said Andrew Storms, director of security operations at nCircle Security. "I'd like to see anybody pull that off."
The so-called "zero-day" vulnerability -- meaning it was leveraged by attackers before Microsoft was aware of the bug, much less able to patch it -- surfaced six days ago. Since then, Microsoft has published an advisory (on Monday), confirmed the vulnerability and issued a "Fixit," one of its automated configuration tools, to block the known exploits (Wednesday).
The Fixit relied on a tactic Microsoft first deployed in January 2011, when it used a "shim," or application compatibility workaround, to thwart then-circulating attacks against IE.
Then, as in the recent Fixit, Microsoft utilized the Application Compatibility Toolkit, included with Windows since XP, to modify the core library of IE -- a DLL, or Dynamic-Link library, named "Mshtml.dll," that contains the rendering engine -- in memory each time the browser ran.
Users who have already enabled the shim do not have to uninstall it -- or disable the Fixit -- when they patch today, Microsoft said.
Today's update was rated "critical" by Microsoft, the company's highest threat ranking.
Of the four non-zero-day vulnerabilities, three were limited to IE9, the edition that debuted in March 2011. The fourth impacted only IE7 and IE8. All five vulnerabilities patched by MS12-063 today, including the zero-day, were tagged as critical.
Security experts said that Microsoft had this update -- sans the patch for the zero-day -- already ready, and failing the hustle to fix the exploited vulnerability, it would have been amongst those delivered next Patch Tuesday, Oct. 9.
"What we're seeing is next month's patch," said Storms. "Given that the four others were all responsibly disclosed, they don't present that much of a threat." Storms also called the other patched bugs "par for the course" for IE.
MS12-063 applies to all supported editions of Windows -- XP, Vista and Windows 7 -- and affects IE6, IE7, IE8 and IE9. Only IE10, the browser bundled with Windows 8, is immune.
Friday's "out-of-band" -- security-speak for an emergency update outside the usual monthly Patch Tuesday schedule -- will be the first that Microsoft has released this year and only the second since September 2010. It was also the first emergency patch of an IE zero-day vulnerability since January 2010, when Microsoft fixed a flaw exploited by the "Aurora" Trojan horse.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Forrester Wave™: File Sync And Share Platforms, Q3 2013 Download this Analyst report to read why IBM SmartCloud for Social Business was cited as a leader in The Forrester Wave™: File Sync...
- Brunswick Case Study By implementing IBM SmartCloud services, Brunswick estimates that it avoided hundreds of thousands of dollars in capital expenditures, and is saving up to...
- Energizing Life's Work If your life's work is about caring for people in a business context, the latest digital and social innovations from IBM can help...
- It's not too late...Get Your Mobile Questions Answered Live! How can IT provide seamless and secure mobile communications and collaboration for all? Join this live Webcast as IDG asks an expert panel...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Malware and Vulnerabilities White Papers | Webcasts