Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Internet Explorer Zero Day And Fixes Four Other Flaws

As promised, Microsoft has patched Internet Explorer against the recently disclosed Zero-Day that made headlines all week. In addition, they patched four other flaws that were privately disclosed, but unlike the main vulnerability, were not being exploited in the wild.

As promised, Microsoft has patched Internet Explorer against the recently disclosed Zero-Day that made headlines all week. In addition, they patched four other flaws that were privately disclosed, but unlike the main vulnerability, were not being exploited in the wild.

Internet Explorer Patch from MicrosoftOn Wednesday, Microsoft released a FixIt tool for those wanting some automated protection from the latest Zero-Day for Internet Explorer. The vulnerability has been actively exploited online and used to deliver various payloads including two Remote Access Trojans, PlugX and Poison Ivy. When Wednesday’s announcement was made by the software giant, they promised that a full patch would be made available by the end of the week, and they delivered on that promise shortly after 1:00 p.m. EST today.

MS12-063 is listed as critical and addresses five flaws. The primary fix is focused on the Zero-Day vulnerability itself, but four other patches are included for privately reported vulnerabilities that are not being attacked online.

“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” wrote Yunsun Wee, Director of the Trustworthy Computing Group at Microsoft, on the MSRC blog. 

“The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible… In addition to addressing the issue described in Security Advisory 2757760, MS12-063 also resolves four privately disclosed vulnerabilities that are currently not being exploited.”

“When Microsoft issues out-of-cycle patches everyone, including organizations and consumers, should take note,” said Marcus Carey, security researcher at Rapid7. “Microsoft typically doesn’t like to patch out-of-cycle, so the fact that they are indicates that this update is really important and organizations should make it a priority.”

“The timing actually works out since downtime for patches like this are typically scheduled over the weekend,” Carey said. “If organizations can’t apply this patch, they should implement the “Fix It” workaround available at Microsoft Knowledge Base Article 2757760. If organizations aren’t able to apply the patch or the Fix It solution, they should use an alternative browser such as Chrome or Firefox. Everyone should always remember to test patches out before deploying them, since patches can sometimes have adverse effects.”

In related news, Microsoft also announced the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player that were described in Adobe security bulletins APSB12-18 and APSB12-19.

RelatedChinese Gang Targeting Defense Firms With IE Zero-Day

RelatedCoordinated Cyber Attacks Hit Chemical and Defense Firms

Related: Cyber Espionage Campaign Targets Oil Companies

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.