Microsoft keeps calm, issues emergency IE update
'Classic example of incident response,' argues security professional
Computerworld - Microsoft today shipped an emergency update for Internet Explorer (IE) to stymie attacks that have been occurring since at least Dec. 7.
The "out-of-band" update -- the label for a security fix outside a vendor's normal schedule -- was expected by experts, who last week predicted Microsoft would issue a fix for the IE flaw before the next Patch Tuesday on Feb. 12.
One of those experts congratulated Microsoft on making even emergency updates boring.
"It's as ordinary as only Microsoft could make an [out-of-band] release ordinary," said Andrew Storms, director of security operations at nCircle Security, in an interview via instant messaging. "While it's rare they go out of band, their idea of emergency is still calm and to the letter of the process."
And that, said Storms, is a good thing. "So much about managing risk [in the enterprise] is about not losing your head and getting caught up in the FUD (fear, uncertainty and doubt)," Storms added. "Microsoft knows how to keep things on a cool and calm pace. They recognized the threat, made a plan, issued mitigation efforts and eventually released an out-of-band. All that within a short time frame. Seems like a classic example of how to run incident response."
Today's MS13-008 update patches a single critical vulnerability in IE6, IE7 and IE8, plugging a hole acknowledged by Microsoft on Dec. 29 after security firms said the website of the Council on Foreign Relations (CFR), a noted U.S. foreign policy think tank, was hosting attack code targeting IE8.
Since then, researchers have found evidence of attacks as far back as Dec. 7 and monitored other domains that have conducted similar drive-bys.
Shortly after it warned customers of ongoing attacks, Microsoft released an automated "Fixit" tool to block exploits; recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), another anti-exploit utility; or, if possible, upgrade to IE9 or IE10, neither of which contain the vulnerability.
However, Exodus Intelligence, a company composed of several researchers who once worked at HP TippingPoint and its Zero Day Initiative bug-bounty program, claimed that the Fixit's and EMET's protections could be circumvented. And Windows XP customers were unable to upgrade from IE8, since Microsoft has barred them from running IE9 or IE10.
Because Microsoft patched only the one zero-day vulnerability, said Storms, it's probable that next month's Patch Tuesday will include a wider-ranging IE update. "We do need to remember that its very likely we will still have a regular IE update in February," Storms said. "So just as soon as we are done getting this bad boy distributed, there will be another update waiting."
One possible sticking point with today's emergency patch is that it is not a cumulative update, or one that includes all past IE patches, as is the norm for IE. Users must also apply last month's MS12-077 to be up-to-date, and according to Microsoft, to avoid problems down the road.
"Customers who have not installed the latest cumulative security update for Internet Explorer [MS12-077] may experience compatibility issues after installing the MS13-008 update," Monday's security bulletin stated.
Today's out-of-band update was the first since September, and only the fourth since September 2010.
Windows users can obtain MS13-008 via the Microsoft Update and Windows Update services, as well as through the enterprise-oriented WSUS (Windows Server Update Services).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts