Microsoft fixes IE security hole; another update on Friday

Microsoft has moved quickly to fix an exploit that was discovered a few days ago in some versions of its Internet Explorer web browser. The hole was already being used by hackers to deliver a malware program via a Flash issue on IE7, IE8, and IE9 on Windows XP, Vista, and 7.

In a blog post today, Microsoft said that it has made available a new "Fix it" download that should close this hole. The blog states, "This is an easy, one-click solution that will help protect your computer right away. It will not affect your ability to browse the web, and it does not require a reboot of your computer."

Microsoft also plans to offer yet another IE security update this Friday. The blog says:

We recommend that you install this update as soon as it is available. If you have automatic updates enabled on our PC, you won’t need to take any action – it will automatically be updated on your machine. This will not only reinforce the issue that the Fix It addressed, but cover other issues as well.

Microsoft seems to be making a big deal about this IE update. Indeed, the company is holding a webcast to discuss the IE security issues on Friday at 3 pm ET (noon PT).

Source: Microsoft blog | Image via Microsoft

Report a problem with article
Previous Story

Lumia 920 and 820 get Bluetooth 4.0 certification

Next Story

Update for OS X adds Facebook integration

23 Comments

Commenting is disabled on this article.

the fixit is for disabling the hole (Prevent Memory Corruption via ExecCommand in Internet Explorer); the friday patch corrects that security hole.

Didn't really read the WHOLE article, but just checked windows update. It's not there yet. Now I've read the WHOLE article and I see why! Duh!!

I'll wait until Friday to get the fix. Not installing some FixIt thing only to have to patch that with the fix Friday!! Sounds like FixIt wasn't even tested!!

Have flash disabled in all 3 browsers anyway and very seldom use the crap thing, so shouldn't have to worry.

Shadowzz said,
Really, MS doesnt test its patches, fixes/KB?

Every updates from MS is highly tested against thousands of popular softwares and OS version.
That's why it took 4days to release the patch. The patch itself takes only a few hours to be created.

Funny, this made dutch newspapers today, even frontpage news


"DO NOT USE IE!" saying its highly insecure and knowing Microsoft an update/fix will be troublesome to install as usual with IE updates

Similar was going on in Germany not to long ago. Some serious anti IE campaign going on there, damn.
Worst is, IE has been more secure then any other browser in recent years. Last couple of days we saw/see issues with Safari/Chrome/Webkit and its not a problem. Eventhough the security hole is just as serious as this one in IE....

meh

David Crane said,

Guess there isn't any. Just another IE promoting comment.

go back a day here on neowin on the frontpage and you'll see the iOS6 webkit security issue which is just as horrible.

not long ago entire OSX was 1 b ig security flaw the likes we havent seen in OS history for a decade or so (windows, osx, linux)

But thats all okay, but when MS/IE has an issue, it has to be front page news and everyone has to be told to stop using it?

Shadowzz said,

go back a day here on neowin on the frontpage and you'll see the iOS6 webkit security issue which is just as horrible.

not long ago entire OSX was 1 b ig security flaw the likes we havent seen in OS history for a decade or so (windows, osx, linux)

But thats all okay, but when MS/IE has an issue, it has to be front page news and everyone has to be told to stop using it?

I'm sorry I hate mindless Microsoft bashing as much as the next person but honestly '1 big security flaw the likes we havent seen in OS history for a decade'? Windows XP was a decade ago and it shipped without a firewall and I could probably named 20 patched zero days in it from MEMORY.

In the last 12 months OS X has had maybe 5 total? Don't dramatise, it doesn't help your case.

ascendant123 said,
Link to this webkit zero day that's just as serious?

Take the webkit 0day flaw from yesterday, and apply it to android and its android 4 privilege escalation flaw, and you'll have one of the most nasty exploit ever, because most android 4 device will never be fixed, and they would be infected by a malware with root access just by viewing a website.

Of course, it is much less interesting for hackers to attack android/ios than corporate IE users, even though there are much more flaws in webkit than in IE.

ascendant123 said,

I'm sorry I hate mindless Microsoft bashing as much as the next person but honestly '1 big security flaw the likes we havent seen in OS history for a decade'? Windows XP was a decade ago and it shipped without a firewall and I could probably named 20 patched zero days in it from MEMORY.

In the last 12 months OS X has had maybe 5 total? Don't dramatise, it doesn't help your case.

OSX and webkit have much more security flaws than even XP and IE6.

Just look at the stats on secunia.
In one year, webkit has had 4x more flaws than IE or flash.

And sorry, but Shadowzz is right about the OSX exploit from mars:
Never on windows have we had a documented security flaw unfixed for 45days allowing hackers to develop and exploit it massively during 15days without anyone noticing until 500 000 machines have been infected.

That was much worse than this IE exploit that MS has fixed in only 4days.

CAP-Team said,
So it's actually a flash issue instead of an IE issue

It sounds that way... but it might be a Flash vulnerability used in conjunction with an IE vulnerability...

CAP-Team said,
So it's actually a flash issue instead of an IE issue

Because clicking links is _WAY_ too hard...

A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

Yep, sounds like a Flash issue to me... You can see this CVE for details http://www.cve.mitre.org/cgi-b...name.cgi?name=CVE-2012-4969.

This particular exploit used Flash to set up the environment necessary to use the exploit but any other code delivery mechanism was also possible; Flash was used exactly as intended it just happened to be intended to exploit an IE zero day in this case.

There was actually no issue with Flash here, even though I wish it would die anyway.

wrack said,
Good that they released it outside of their normal patch cycle and addressed it.

This means hackers still have a day to keep compromising systems, steal credit card information. Nice going Microsoft, we feel much safer now.

David Crane said,

This means hackers still have a day to keep compromising systems, steal credit card information. Nice going Microsoft, we feel much safer now.

Well, after that hackers will have all their time available to exploit the IOS webkit flaw in android4 with root exploit, knowing that it will never be patched on most devices.

So waiting just one day isn't that bad, especially now there is a temporary fix, and there has been the EMET workaround since the beginning.

link8506 said,

Well, after that hackers will have all their time available to exploit the IOS webkit flaw in android4 with root exploit, knowing that it will never be patched on most devices.

So waiting just one day isn't that bad, especially now there is a temporary fix, and there has been the EMET workaround since the beginning.


IOS webkit flaw in android4? you seem a bit confused, no? Is it IOS or android4, make up your mind.

Right, temporary fix that isn't on Windows Update. That will make all the difference to the average Joe that uses a computer and depends on MS Windows update to be "safe". Especially after this being included in toolkits like metasploit and being exploited on the wild for such a time now. Microsoft update policy is broken, they should take a hint from other browsers, that's why IE will just die and fall into oblivion.