Microsoft released a fix for a zero-day bug being targeted by hackers in an update today. The emergency move also patched four other vulnerabilities in IE as well.
Microsoft released an emergency security
update that squashes a zero-day bug in Internet Explorer that is being targeted
Early this week, the company released a Fix
It tool to provide a temporary solution for users until a patch was ready. The
zero-day impacts Internet Explorer (IE) versions 6, 7, 8 and 9.
"Today we released Security Update
to address limited attacks against a small number of
computers through a vulnerability in Internet Explorer versions 9 and
earlier," blogged Yunsun Wee, director, Microsoft Trustworthy Computing.
"The majority of customers have automatic updates enabled and will not
need to take any action because protections will be downloaded and installed
automatically. For those manually updating, we encourage you to apply this
update as quickly as possible."
In addition to the zero-day, the update also
addresses four other privately disclosed security issues in IE. None of those
four vulnerabilities are known to have been exploited in the wild, Microsoft
said. All four are remote-code-execution vulnerabilities.
In the case of the zero-day, the
vulnerability is due to the way Internet Explorer accesses an object that has
been deleted or has not been properly allocated. As a result, the vulnerability
may corrupt memory in a way that could allow an attacker to execute arbitrary
code in the context of the current user, Microsoft warned. Attackers can infect
users, the company added, via a specially crafted Website designed to exploit
the bug after convincing victims to view the site.
"Microsoft had to respond very quickly
to this bug," said Andrew Storms, director of security operations at
nCircle. "In addition to the serious security threats it posed to their
customers, Internet Explorer's market share is at risk. Many security pundits
and organizations have been telling users to switch browsers until a patch is
available; I'm sure that got the attention of a lot of Microsoft
The German government's Federal Office for
Information Security, or BSI, advised users this week to temporarily switch
browsers until a patch was ready.
There are a number of mitigating factors for
the zero-day. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a
restricted mode that limits the threat posed by the vulnerability. In addition,
all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open
HTML email messages in the restricted sites zone, which reduces the risk in
this case because it disables script and ActiveX controls.
In addition, anyone worried about attacks can
deploy Microsoft's Enhanced Mitigation Experience Toolkit and set Internet and
local Internet security zone levels to high to block ActiveX controls and
Active Scripting in both zones. In addition, users can also configure IE to
prompt them before running Active Scripting or disable it outright.
The IE patch was not the only fix Microsoft
pushed out today. The company
aim at Adobe Flash Player vulnerabilities in the Internet
Explorer 10 version included with Windows 8. Microsoft has opted to embed Flash
Player in IE 10, meaning the company will be responsible for patching it for
Windows 8 users.
Users can expect to see Microsoft coordinate
the release of Flash Player patches with Adobe Systems, Wee blogged, adding that
sometimes updates may be released outside the normal Patch Tuesday schedule.
"We recognize there has been some
discussion about our update process as it relates to Adobe Flash Player,"
Wee blogged. "Microsoft is committed to taking the appropriate actions to
help protect our customers, and we are working closely with Adobe to deliver
quality protections that are aligned with Adobe's update process."