Microsoft issues 'Fix it' patch for IE9 and IE10 zero-day exploit

Last week, Microsoft confirmed that a zero-day exploit had been discovered in Internet Explorer 10 that was being used in at least one cyber attack out in the wild. Today, the company issued a formal security warning about the exploit and confirmed that it also was found in IE9 as well.

Microsoft's newest security advisory (2934088) states:

This issue allows remote code execution if users browse to a malicious website with an affected browser. This would typically occur by an attacker convincing someone to click a link in an email or instant message.

The exploit was first discovered and published by the FireEye security firm, which added that it was used by the mystery hackers to compromise the website of the U.S. Veterans of Foreign Wars. Microsoft has now released a quick "Fix It" patch that will close the exploit in both IE9 and IE10. Older versions of the browser are not affected by this problem. Neither is Internet Explorer 11, which means users of IE9 and IE10 who are running Windows 7, 8 or 8.1 can upgrade to IE11 and be protected from the issue.

Microsoft will release a permanent security patch for both browsers in the near future, most likely during March's "Patch Tuesday" event.

Source: Microsoft | Image via Wikipedia

Report a problem with article
Previous Story

Google Fiber planning to expand 1Gbps service to more U.S. cities

Next Story

Microsoft Store patrons can still win a year of 100GB OneDrive storage

11 Comments

Commenting is disabled on this article.

One correction for the article: there is no IE11 for Windows 8.0 or Server 2012. The Windows 8.1 upgrade is only free for OEM licenses, and Server 2012 R2 is not free at all.

Kinda poor of the IE team to not make that release available at the same time as they did for Windows 7 and Server 2008 R2 IMHO.

The Windows 8.1 update is free for every Windows 8.0 installation, when 8.1 launched, Microsoft announced that support for 8.0 ends in 2016.

########.

Google patches Chrome as soon as a patch is made. Not wait until the next month. Version 32 received 3 patches already.

Stuff like this gives IE a well deserved bad name. MS is a much better and more secure oriented company today vs IE 6 but you can't wait a month for a freaking patch.

The fact silver haired baby boomers and corps are the typical IE demographic don't know what fixits are.

Russians are working on crypto lockers right now using this and the IE bashers will use it as proof IE is still insecure.

Cryptolocker is quite devastating to a corporate share. No this can't be pushed to 4,000 computers too

sinetheo said,
Google patches Chrome as soon as a patch is made. Not wait until the next month. Version 32 received 3 patches already.

Fact is: you can't possibly know when a patch is "made" (ready) - you only learn of it when it's made available. So, Google just might and most likely also takes its time until it makes the patches available. That's because patches need to be tested extensively, so they don't cause more trouble than they actually fix.

That said Chrome has far more vulnerabilites discovered in any month than all IE versions all together.

Stuff like this gives IE a well deserved bad name.

Well, it's actually uneducated masses that give it an undeserved bad name, who have no clue about patch management and stuff, but always know better than the real experts.

sinetheo said,
Google patches Chrome as soon as a patch is made. Not wait until the next month. Version 32 received 3 patches already.

Bad comparison. Microsoft still maintains IE6 through 11 as separate entities. Google patches the latest Chrome version only, and the latest is always forced upon all users. If you're on "Version 29", you won't be able to install those 3 patches for Version 32 without moving up to 32 first.

felrefordit said,

Fact is: you can't possibly know when a patch is "made" (ready) - you only learn of it when it's made available. So, Google just might and most likely also takes its time until it makes the patches available. That's because patches need to be tested extensively, so they don't cause more trouble than they actually fix.

True, but for a zero day like this I think they tend to patch it in days.

sinetheo said,
The fact silver haired baby boomers and corps are the typical IE demographic don't know what fixits are.

Russians are working on crypto lockers right now using this and the IE bashers will use it as proof IE is still insecure.

Cryptolocker is quite devastating to a corporate share. No this can't be pushed to 4,000 computers too

You are an ass hat of the highest order. If this was a serious enough of an exploit then it would be pushed out ASAP by MS but as its not being exploited the need to get it out right now is not high. AS for Russians making crypto locker malware already using this exploit I say ########. Unless you are in touch with Russians doing this or are infact Russian yourself and are currently making malware for the zero day then just shut your mouth as you have no proof. Last but not least if businesses don't have I.T. departments that don't know what fixit patches are then they shouldn't have computers anyway. I happen to be a Systems Engineer for the company I work for and yes we will be deploying this fixit patch to thousands of computers because it is very much possible. Before you open your mouth with such stupidity try learning something first. Also look up Config Manager its been around since 2007 and wsus has been around longer.

EWG06STI said,
Also look up Config Manager its been around since 2007 and wsus has been around longer.

And MOM before it, and SMS before. What was my point? I forget. Probably the realization that I'm getting old. Ugh.