Pretty unusual for Microsoft but they’ve rushed out a fast fix for a 0-day Internet Explorer vulnerability which allows remote code execution and malware dropping. It doesn’t effect the latest version of Internet Explorer (9) but it effects all the common previous versions (6, 7 & 8) – which still accounts for the majority of users.
It is definitely important though, so I can appreciate their urgency. The sad part is most people that will fall for the scam sites that push out such malware won’t know about this patch, so they will remain at risk.
It will help a lot for corporates though managing the entire organization security as many are mandated to use Internet Explorer, and try and keep it secure..
Microsoft has pushed out a temporary fix to defend against a zero-day vulnerability that surfaced in attacks launched last week.
The security flaw (CVE-2012-4792) – which affects IE 6, 7 and 8 but not the latest versions of Microsoft’s web browser software – allows malware to be dropped onto Windows PCs running the vulnerable software, providing, of course, that users can be tricked into visiting booby-trapped websites.
Redmond has released a temporary Fix It (easy-to-apply workaround) pending the development of a more comprehensive patch.
The flaw was initially discovered by security tools firm FireEye on the Council on Foreign Relations website on 27 December.
The flaw was discovered right before the new year on December 27th, so Microsoft have managed to get this temporary fix out pretty fast. I’d imagine the full patch will be rolled into the next Windows Update Patch Tuesday.
I don’t expect anyone reading this is using Internet Explorer, so it wouldn’t effect us anyway – but seen as though you are probably at home over the holidays. Do us all a favour and install Chrome or Firefox on your relatives computers.
The attack had been running for at least a week, and perhaps longer, before it was detected. Retrospective analysis by Sophos suggests the same exploit was used on at least five additional websites, suggesting assaults using the bug are far from limited.
“While the assaults appeared to be targeting a small number of sites, there is no obvious link between the victims,” noted Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. “Some are referring to this as a ‘watering hole’ attack, but the evidence we have doesn’t necessarily support that conclusion.”
Security watchers advise either applying Redmond’s workarounds, upgrading to IE 9 or using an alternative browser – at least until a proper patch becomes available. The next patch Tuesday is coming up on 8 January. This doesn’t give Microsoft much time but given the high-profile nature of the vulnerability it’s likely that Redmond will release a patch sooner rather than later.
It was exploited for a week at least before discovery, so that’d give a date of around December 20th when it was first seen in the wild. The next Patch Tuesday is coming in 5 days, so we might even see an emergency out of bounds patch for this so it gets pushed out via Windows Update to the masses.
You can check out the Fix It here:
Microsoft Security Advisory: Vulnerability in Internet Explorer could allow remote code execution
Source: The Register
altonius says
MS’s advance security advisory notification for January has now been released and there’s nothing in there for IE6,7 and 8… They still could add it in at a later date.
anon says
As always, great reporting. Quick comment –> it’s affect, not effect.
Darknet says
Haha thanks, and yah…..that one always gets me.