Microsoft keeps calm, issues emergency IE update
'Classic example of incident response,' argues security professional
Computerworld - Microsoft today shipped an emergency update for Internet Explorer (IE) to stymie attacks that have been occurring since at least Dec. 7.
The "out-of-band" update -- the label for a security fix outside a vendor's normal schedule -- was expected by experts, who last week predicted Microsoft would issue a fix for the IE flaw before the next Patch Tuesday on Feb. 12.
One of those experts congratulated Microsoft on making even emergency updates boring.
"It's as ordinary as only Microsoft could make an [out-of-band] release ordinary," said Andrew Storms, director of security operations at nCircle Security, in an interview via instant messaging. "While it's rare they go out of band, their idea of emergency is still calm and to the letter of the process."
And that, said Storms, is a good thing. "So much about managing risk [in the enterprise] is about not losing your head and getting caught up in the FUD (fear, uncertainty and doubt)," Storms added. "Microsoft knows how to keep things on a cool and calm pace. They recognized the threat, made a plan, issued mitigation efforts and eventually released an out-of-band. All that within a short time frame. Seems like a classic example of how to run incident response."
Today's MS13-008 update patches a single critical vulnerability in IE6, IE7 and IE8, plugging a hole acknowledged by Microsoft on Dec. 29 after security firms said the website of the Council on Foreign Relations (CFR), a noted U.S. foreign policy think tank, was hosting attack code targeting IE8.
Since then, researchers have found evidence of attacks as far back as Dec. 7 and monitored other domains that have conducted similar drive-bys.
Shortly after it warned customers of ongoing attacks, Microsoft released an automated "Fixit" tool to block exploits; recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), another anti-exploit utility; or, if possible, upgrade to IE9 or IE10, neither of which contain the vulnerability.
However, Exodus Intelligence, a company composed of several researchers who once worked at HP TippingPoint and its Zero Day Initiative bug-bounty program, claimed that the Fixit's and EMET's protections could be circumvented. And Windows XP customers were unable to upgrade from IE8, since Microsoft has barred them from running IE9 or IE10.
Because Microsoft patched only the one zero-day vulnerability, said Storms, it's probable that next month's Patch Tuesday will include a wider-ranging IE update. "We do need to remember that its very likely we will still have a regular IE update in February," Storms said. "So just as soon as we are done getting this bad boy distributed, there will be another update waiting."
One possible sticking point with today's emergency patch is that it is not a cumulative update, or one that includes all past IE patches, as is the norm for IE. Users must also apply last month's MS12-077 to be up-to-date, and according to Microsoft, to avoid problems down the road.
"Customers who have not installed the latest cumulative security update for Internet Explorer [MS12-077] may experience compatibility issues after installing the MS13-008 update," Monday's security bulletin stated.
Today's out-of-band update was the first since September, and only the fourth since September 2010.
Windows users can obtain MS13-008 via the Microsoft Update and Windows Update services, as well as through the enterprise-oriented WSUS (Windows Server Update Services).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts