Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday
33 fixes will also include patches for the IE10 Pwn2Own vulnerabilities
Computerworld - Microsoft today said it will issue 10 security updates next week, two rated "critical," to patch 33 vulnerabilities, including the zero-day bug that has been used by cyber criminals to poison "watering hole" websites in attacks aimed at U.S. government workers.
"IE is always critical, and we expected at least one update this month," said Andrew Storms, director of security operations at Tripwire's nCircle Security, in an interview. "What was surprising was the IE8 fix."
The remaining eight updates, called "bulletins" by Microsoft, were pegged as "important" on the firm's threat scale, and will provide patches for Windows, several applications in the Office family and for multiple communications products, including Lync, Microsoft's enterprise-grade instant messaging platform.
Three of the Windows security updates will affect Windows 8 and Windows RT, Microsoft's newest operating systems; one of the trio will patch only those two editions.
But the two updates aimed at IE are those to deploy ASAP, said Storms. Of the pair, the most important will be Bulletin 2, which will patch the zero-day in IE8 disclosed last week by several security firms when they analyzed attack code planted on the U.S. Department of Labor website.
"We are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140," said Dustin Childs, group manager of the Trustworthy Computing group, in a post to the Microsoft Security Response Center (MSRC) blog today.
Last Friday, Microsoft confirmed the IE8 vulnerability when it issued that security advisory. Yesterday, the company published an automated "Fixit" tool to protect IE8 from in-the-wild exploits. The tool was based on a "shim," a term used to describe an application compatibility workaround, a tactic Microsoft has used in the past to ward off active browser attacks.
Last December, Microsoft released a shim to block attacks exploiting a then-unpatched bug in IE6, IE7 and IE8. Those attacks surfaced when security researchers spotted drive-by exploits hosted on the website of the Council on Foreign Relations (CFR), a non-partisan foreign policy think tank with offices in New York and Washington, D.C.
Like the CFR attacks, those originating on the Department of Labor website were dubbed "watering hole" attacks, so named because the exploits were planted on sites frequented by the targeted users. Fairfax, Va.-based Invincea said last Friday that those targets were workers and officials in the U.S. Department of Energy involved in nuclear weapons research.
Since Friday, other security firms had said that the risk was greater than first believed, with up to nine other websites, including an unnamed European aerospace and defense contractor, similarly compromised to launch attacks. Irvine, Calif.-based CloudStrike said the attacks may have begun using the IE8 vulnerability as long ago as mid-March.
Storms praised Microsoft's rapid response to the threat and its ability to come up with a fix, test it on both IE8 and IE9 -- the latter has the vulnerable code but cannot be exploited -- and prepare the package as the company readied the rest of Patch Tuesday's updates. "That's a lot of work in just a week," said Storms, referring to the time since researchers identified the true nature of the vulnerability.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts