Microsoft released an emergency security update that squashes a zero-day bug in Internet Explorer that is being targeted by attackers.
Early this week, the company released a Fix It tool to provide a temporary solution for users until a patch was ready. The zero-day impacts Internet Explorer (IE) versions 6, 7, 8 and 9.
“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” blogged Yunsun Wee, director, Microsoft Trustworthy Computing. “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.”
In addition to the zero-day, the update also addresses four other privately disclosed security issues in IE. None of those four vulnerabilities are known to have been exploited in the wild, Microsoft said. All four are remote-code-execution vulnerabilities.
In the case of the zero-day, the vulnerability is due to the way Internet Explorer accesses an object that has been deleted or has not been properly allocated. As a result, the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user, Microsoft warned. Attackers can infect users, the company added, via a specially crafted Website designed to exploit the bug after convincing victims to view the site.
“Microsoft had to respond very quickly to this bug,” said Andrew Storms, director of security operations at nCircle. “In addition to the serious security threats it posed to their customers, Internet Explorer’s market share is at risk. Many security pundits and organizations have been telling users to switch browsers until a patch is available; I’m sure that got the attention of a lot of Microsoft executives.”
The German government’s Federal Office for Information Security, or BSI, advised users this week to temporarily switch browsers until a patch was ready.
There are a number of mitigating factors for the zero-day. By default, IE on Windows Server 2003, 2008 and 2008 R2 runs in a restricted mode that limits the threat posed by the vulnerability. In addition, all supported versions of Microsoft Outlook, Outlook Express and Windows Mail open HTML email messages in the restricted sites zone, which reduces the risk in this case because it disables script and ActiveX controls.
In addition, anyone worried about attacks can deploy Microsoft’s Enhanced Mitigation Experience Toolkit and set Internet and local Internet security zone levels to high to block ActiveX controls and Active Scripting in both zones. In addition, users can also configure IE to prompt them before running Active Scripting or disable it outright.
The IE patch was not the only fix Microsoft pushed out today. The company also took aim at Adobe Flash Player vulnerabilities in the Internet Explorer 10 version included with Windows 8. Microsoft has opted to embed Flash Player in IE 10, meaning the company will be responsible for patching it for Windows 8 users.
Users can expect to see Microsoft coordinate the release of Flash Player patches with Adobe Systems, Wee blogged, adding that sometimes updates may be released outside the normal Patch Tuesday schedule.
“We recognize there has been some discussion about our update process as it relates to Adobe Flash Player,” Wee blogged. “Microsoft is committed to taking the appropriate actions to help protect our customers, and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.”