Two IE patches released, including one for IE 10

Microsoft has been working quickly to fix a security hole that was revealed a few days ago in Internet Explorer 9 and earlier versions of the web browser. On Wednesday, the company issued a Fix it download that plugged a hole in those browser that would have allowed malware to be downloaded on a PC via a Flash exploit.

Today, Microsoft released not one but two different automatic IE patches. The first, as described on the Microsoft Security Response Center blog, not only has the fix that was issued on Wednesday for IE 9 and older versions but also contains fixes for "four privately disclosed vulnerabilities that are currently not being exploited." Microsoft recommends consumers update their browsers ASAP.

The second IE related update is just for people who are using Windows 8 and Internet Explorer 10. You may remember that a few weeks ago, it was discovered that the RTM version of Windows 8 and IE 10 did not contain the latest updates for Flash Player, which fixed some security related issues. Today, Microsoft announced that an update has been released that updates Flash to the current version for Windows 8 and IE 10.

In its blog post, Microsoft said that it will "coordinate on disclosure and release timing" with Flash publisher Adobe for IE 10 updates from now on. It also says that if there are any issues that are discovered in Flash for IE 10 beyond the planned update schedules, it will also work with Adobe to get the updates to Windows 8 users, adding that, "in some cases we will issue updates outside of our regular monthly security bulletin release."

Source: Microsoft Security Response Center blog | Image via Microsoft

Report a problem with article
Previous Story

Weekend downloadable PC games sales for Sept. 21-23

Next Story

Skype For Peace charity fund raising effort launched

20 Comments

Commenting is disabled on this article.

PaCpiS said,
Flash brings a lot of vulnerabilities, that's why Steve Jobjs hated it !

while this is true SJ "hated" it 'cos if flash apps and games had been available for iphone and ipad users the app store would have been much less successful - it's kinda like paying for online media streaming or pirating your content, and in this example flash is equivalent of pirating (not legal-wise of course)

as for Flash in IE not being the latest: i trust MS and a version certified by them far more than ANY version just posted by Adobe so no, i don't think this should be an issue

Nazmus Shakib Khandaker said,
I am not getting any updates on Windows 8? What does "release" mean if Windows Update doesn't how any updates!!!

Are you on Windows 8 RTM? Because I just checked Windows Update, and the update is there. Check your update history... perhaps it was installed automatically.

After installing the Windows 8 update, my Flash version is still not the latest.

According to http://www.adobe.com/software/flash/about/ ... in both the Desktop IE 10, and the Modern IE 10, my Flash version (after the update) is: 11,3,374,7

I wish I would have kept track of what version I had before the update, because now I'm wondering if the issue is truly fixed or not.

PUC_Snakeman said,
After installing the Windows 8 update, my Flash version is still not the latest.

According to http://www.adobe.com/software/flash/about/ ... in both the Desktop IE 10, and the Modern IE 10, my Flash version (after the update) is: 11,3,374,7

I wish I would have kept track of what version I had before the update, because now I'm wondering if the issue is truly fixed or not.

While it is not flash 11.4, it is a more recent build of flash 11.3 fixing the vulnerabilities of the last flash security bulletin.

Apparently it was created 3days ago.

So, not need to worry about that.

greenwizard88 said,
As someone above you pointed out, the flaw was with how flash was working with active x. updating active x may fix the issue, too.

This flash security update is not related to the flaw the article was talking about.

Flash was just used to bypass DEP on WinXP, and that is not a flaw that can be patched.

The flash update here only concerns win8, and fixes flaws that are not yet exploited, thanks to the better memory protections of IE10.

PUC_Snakeman said,
After installing the Windows 8 update, my Flash version is still not the latest.

According to http://www.adobe.com/software/flash/about/ ... in both the Desktop IE 10, and the Modern IE 10, my Flash version (after the update) is: 11,3,374,7

I wish I would have kept track of what version I had before the update, because now I'm wondering if the issue is truly fixed or not.

Do NOT get stuck on version numbers, especially with Flash. Even back when IE9 was released, the 'optimized/GPU assisted' version for IE9 carried a lower version number, even though it was a newer build with all the fixes.

I have to be "stuck" on version numbers, because their "About" page makes it "easy" to see which version I should be running. Now, if their list of "most recent versions" is incoherent or sloppy or incorrect, then that's on them. But, the way the present it to the user, is that the user should ensure they're on the version that they list.

PUC_Snakeman said,
After installing the Windows 8 update, my Flash version is still not the latest.

That's what I was afraid of. The integrated Flash will always be several versions behind, which most certainly is a security threat.

Weissmeister said,

That's what I was afraid of. The integrated Flash will always be several versions behind, which most certainly is a security threat.


The flash in Win8 is better secured then other flashes outside Win8/IE.
Use IE10 64bit or IE10 Metro and this flash security breach is not a problem. As it'll be unable to break throught IE10's own security.

The title is misleading.

The is no security update for IE10.
It's just a security update for the Flash player activeX included in win8, fixing flaws that were not exploited.

Also, there is a mistake in the article:
The vulnerability wasn't coming from flash. Flash was just used to bypass DEP on WinXP.
And in the win7 exploit, java and an old version of msvcrt were needed to bypass ASLR and exploit IE8/9. Without these plugins the exploit wouldn't work.

link8506 said,
The title is misleading.

The is no security update for IE10.
It's just a security update for the Flash player activeX included in win8, fixing flaws that were not exploited.

Also, there is a mistake in the article:
The vulnerability wasn't coming from flash. Flash was just used to bypass DEP on WinXP.
And in the win7 exploit, java and an old version of msvcrt were needed to bypass ASLR and exploit IE8/9. Without these plugins the exploit wouldn't work.

This is Neowin, you bring all these fancy things called facts and expect the author to listen?

Silly person.

This was quickly fixed! Ta MS!

I decided to skip the FixIt mainly because I knew Microsoft would release an update sooner than latter, but also because the FixIt said it was for 32-bit versions of IE, and with this update, Microsoft fixed both versions of IE in 64-bit Windows.

I also don't use IE as my default browser, though I do use it (it's a great browser).

A340600 said,
This was quickly fixed! Ta MS!

I decided to skip the FixIt mainly because I knew Microsoft would release an update sooner than latter, but also because the FixIt said it was for 32-bit versions of IE, and with this update, Microsoft fixed both versions of IE in 64-bit Windows.

I also don't use IE as my default browser, though I do use it (it's a great browser).

Yeah that was one of the fastest fix ever for a 0day exploit in an MS product! Great job MS!

and IE10 is even more promising with its new sandbox and memory protections!

to all the idiots who think IE is full of flaws, just look at that:

http://cdn2.sbnation.com/impor...browser-vulnerabilities.png
Chrome looks like the Burj Khalifa of security flaws in this chart ^^

http://mobile.theverge.com/201...cure-than-internet-explorer

link8506 said,

Yeah that was one of the fastest fix ever for a 0day exploit in an MS product! Great job MS!

and IE10 is even more promising with its new sandbox and memory protections!

to all the idiots who think IE is full of flaws, just look at that:

http://cdn2.sbnation.com/impor...browser-vulnerabilities.png
Chrome looks like the Burj Khalifa of security flaws in this chart ^^

http://mobile.theverge.com/201...cure-than-internet-explorer

Whoever wrote that article really needs to cite their sources.

Since 2007, there have been 16 exploitable vulnerabilities in Internet Explorer (source: http://www.cvedetails.com/prod...-Explorer.html?vendor_id=26), and 12 exploitable vulnerabilities in Chrome (source: http://www.cvedetails.com/prod...-Chrome.html?vendor_id=1224).

You might also find it enlightening to search for Chrome and Internet Explorer in the exploit database at http://www.metasploit.com/

IE is a *reasonable* browser (though even IE 9 has some inconsistencies with its handling of CSS3), but its security isn't something to be praised.

robinjam said,

Whoever wrote that article really needs to cite their sources.

Since 2007, there have been 16 exploitable vulnerabilities in Internet Explorer (source: http://www.cvedetails.com/prod...-Explorer.html?vendor_id=26), and 12 exploitable vulnerabilities in Chrome (source: http://www.cvedetails.com/prod...-Chrome.html?vendor_id=1224).

You might also find it enlightening to search for Chrome and Internet Explorer in the exploit database at http://www.metasploit.com/

IE is a *reasonable* browser (though even IE 9 has some inconsistencies with its handling of CSS3), but its security isn't something to be praised.


It isnt something to be praised? took 1.5years before the sandboxing system of IE8 was broken through. Took well over half a year before IE9's sandboxing was broken through. Chrome has never had such long periods of unhackableness.
Chrome has been behind on security mechanics every since the start. Since they never gotten largest marketshare. They arent the primary target.
Not being primary target != secure.

Oh and some exploits take Chrome weeks, months to be fixed. Where with IE after its found. It usually just takes several days at most or the next patch tuesday before fixes are automatically downloaded and installed.