IE Zero Day Fixed

Wednesday, January 16, 2013 @ 04:01 PM gHale


Microsoft rolled out an update for Internet Explorer 6, 7 and 8 to close the Zero Day vulnerability which hackers are already using in targeted attacks.

Microsoft’s out-of-band update addresses the critical flaw, the company said in its security advisory. The company had previously released a Fix-It as a workaround to temporarily close the issue. Users who have installed the Fix-It do not need to uninstall it prior to applying the patch, Microsoft said.

RELATED STORIES
Microsoft Sends Out Software Patches
Researchers Bypass Microsoft IE Fix
More Victims in IE Zero Day
IE Zero Day

“The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically,” Microsoft said in the advisory. Users who update IE manually are strongly encouraged to apply the update as quickly as possible.

This patch comes a week after Microsoft’s scheduled monthly Patch Tuesday release. Security experts had wondered if that meant the company was planning to wait till the February to fix the bug.

Researchers at FireEye discovered in December the Council on Foreign Relations website had been compromised and was infecting visitors using older versions of Internet Explorer by exploiting this vulnerability. Once the Zero Day flaw went public, other researchers uncovered similar attacks on other sites, including microturbine systems manufacturer Capstone Turbine and two Chinese human rights sites. Microsoft released a temporary fix, but researchers at Exodus Intelligence were able to bypass the Fix-It and trigger the security hole.

While the company worked pretty quickly to release this patch, there is still a “high probability” that users haven’t taken the necessary steps, and a large portion of IE users will remain unprotected.

Users are also encouraged to upgrade to Internet Explorer 9 or 10. The issue affects primarily users who are still running Windows XP, which cannot run the newer versions of IE.



Leave a Reply

You must be logged in to post a comment.