IE Update for Zero Day Ready

Friday, September 21, 2012 @ 05:09 PM gHale

Microsoft released an emergency security update for Internet Explorer that holds off a Zero Day vulnerability that attackers are jumping all over.

Earlier this week, the company released a Fix It tool to provide a temporary solution for users until a patch was ready. The Zero Day affects all versions of Internet Explorer (IE), except IE 10.

IE Zero Day Targeted Attacks
Microsoft Vows to Fix IE Bug
IE 10 gets Flash Fixes
Blackhole Updates Product Offering

“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” said Yunsun Wee, director, Microsoft Trustworthy Computing. “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.”

In addition to the Zero Day, the update also addresses four other privately-disclosed security issues in IE. None of those four vulnerabilities ended up exploited in the wild, Microsoft said. All four are remote code execution vulnerabilities.

In the case of the Zero Day, the vulnerability is due to the way Internet Explorer accesses a deleted object or one not properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user, Microsoft said. Attackers can infect users, the company added, via a specially-crafted website designed to exploit the bug after convincing victims to view the site.

There are a number of mitigating factors for the Zero Day. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a restricted mode that limits the threat posed by the vulnerability. In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the Restricted sites zone, which reduces the risk in this case because it disables script and ActiveX controls.

In addition, anyone worried about attacks can deploy Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and set Internet and local Internet security zone levels to high to block ActiveX controls and Active Scripting in both zones. In addition, users can also configure IE to prompt them before running Active Scripting or disable it outright.

The IE patch was not the only fix Microsoft pushed out today. The company also took aim at Adobe Flash Player vulnerabilities in the Internet Explorer 10 version included with Windows 8. Microsoft has opted to embed Flash Player in IE 10, meaning the company will be responsible for patching it for Windows 8 users.

Users can expect to see Microsoft coordinate the release of Flash Player patches with Adobe Systems, Wee said, adding sometimes updates may release outside of the normal Patch Tuesday schedule.

Leave a Reply

You must be logged in to post a comment.