Microsoft released an emergency security update that squashes a zero-day bug in Internet Explorer that is being targeted by attackers.
Early this week, the company released a Fix It tool to provide a temporary solution for users until a patch was ready. The zero-day impacts Internet Explorer (IE) versions 6, 7, 8 and 9.
“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” blogged Yunsun Wee, director, Microsoft Trustworthy Computing. “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.”
In the case of the zero-day, the vulnerability is due to the way Internet Explorer accesses an object that has been deleted or has not been properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user, Microsoft warned.
Attackers can infect users, the company added, via a specially crafted website designed to exploit the bug after convincing victims to view the site.
“Microsoft had to respond very quickly to this bug,” said Andrew Storms, director of security operations at nCircle. “In addition to the serious security threats it posed to their customers, Internet Explorer’s market share is at risk. Many security pundits and organisations have been telling users to switch browsers until a patch is available; I’m sure that got the attention of a lot of Microsoft executives.”
The German government’s Federal Office for Information Security, or BSI, advised users this week to temporarily switch browsers until a patch was ready.
There are a number of mitigating factors for the zero-day. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a restricted mode that limits the threat posed by the vulnerability. In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the restricted sites zone, which reduces the risk in this case because it disables script and ActiveX controls.
In addition, anyone worried about attacks can deploy Microsoft’s Enhanced Mitigation Experience Toolkit and set Internet and local Internet security zone levels to high to block ActiveX controls and Active Scripting in both zones. In addition, users can also configure IE to prompt them before running Active Scripting or disable it outright.
The IE patch was not the only fix Microsoft pushed out today. The company also took aim at Adobe Flash Player vulnerabilities in the Internet Explorer 10 version included with Windows 8. Microsoft has opted to embed Flash Player in IE 10, meaning the company will be responsible for patching it for Windows 8 users.
Users can expect to see Microsoft coordinate the release of Flash Player patches with Adobe Systems, Wee blogged, adding that sometimes updates may be released outside the normal Patch Tuesday schedule.
“We recognise there has been some discussion about our update process as it relates to Adobe Flash Player,” Wee blogged. “Microsoft is committed to taking the appropriate actions to help protect our customers, and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.”
How much do you know about YouTube? Take our quiz.
E-commerce giant faces another unionisation move, with workers at North Carolina warehouse set to vote…
Supreme Court in US on Friday is to hear oral arguments that could well decide…
Jeff Bozos challenge to SpaceX's Falcon-9 heavy lift rocket, the New Glenn rocket, to make…
As US ban looms this month, TikTok faces a buyout offer for its US assets…
Bending the knee continues from the tech industry, as Alphabet's Google becomes latest to make…
Software and cloud giant Microsoft confirms it is cutting a small percentage of jobs across…