Microsoft to patch zero-day IE bug now under attack
Eight updates will plug holes in IE, Windows, Office, SharePoint and Silverlight
Computerworld - Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.
"The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505," confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.
Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cyber criminals in targeted attacks against users in Japan and Taiwan.
"IE is always top of the list," said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.
On Sept. 17, Microsoft confirmed that hackers were exploiting a critical unpatched vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9). The bug, however, existed in all versions of the browser, including the 12-year-old IE6 and the newest IE11.
Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacks as less-capable hackers copied the code and added it to their weaponized toolkits.
"Once it went into Metasploit, I anticipated an early release of a patch by Microsoft," said Storms today. "Obviously the patch is done, but Microsoft's and its partners' telemetry must have shown that there were no reasons to go out-of-band."
Historically, Microsoft has issued "out-of-band" updates -- those outside the normal monthly release schedule -- only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.
The early date of October's Patch Tuesday -- always the second Tuesday of the month -- may have played a part in Microsoft's decision to hold the update and not go out-of-band, Storms said.
The IE update was just one of four rated "critical" by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1 and Windows RT 8.1, according to Microsoft's advanced notification distributed today.
Experts recommended that customers install the Windows updates as soon as possible after their release. "Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update," warned Storms.
Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.
The other four updates will patch vulnerabilities in Excel, other pieces of Office, the SharePoint collaboration server software and Silverlight, a media format Microsoft seems to have discarded or at least isn't interested in developing further.
Because the Office-related vulnerabilities were ranked as "important" even though Microsoft said hackers could exploit them to plant malware on customers' PCs, Storms said it was probable that any attack code required considerable user interaction to work, such as downloading files, opening shared folders or clicking through multiple warnings.
"Being exploited via a drive-by is not going to happen," said Storms, referring to the most dangerous attacks, which only require a user to visit a malicious website to trigger exploits.
Microsoft will release next week's security updates on Oct. 8 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |