Microsoft Patches Internet Explorer Zero Day And Fixes Four Other Flaws

As promised, Microsoft has patched Internet Explorer against the recently disclosed Zero-Day that made headlines all week. In addition, they patched four other flaws that were privately disclosed, but unlike the main vulnerability, were not being exploited in the wild.

On Wednesday, Microsoft released a FixIt tool for those wanting some automated protection from the latest Zero-Day for Internet Explorer. The vulnerability has been actively exploited online and used to deliver various payloads including two Remote Access Trojans, PlugX and Poison Ivy. When Wednesday’s announcement was made by the software giant, they promised that a full patch would be made available by the end of the week, and they delivered on that promise shortly after 1:00 p.m. EST today.

MS12-063 is listed as critical and addresses five flaws. The primary fix is focused on the Zero-Day vulnerability itself, but four other patches are included for privately reported vulnerabilities that are not being attacked online.

“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” wrote Yunsun Wee, Director of the Trustworthy Computing Group at Microsoft, on the MSRC blog. 

“The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible… In addition to addressing the issue described in Security Advisory 2757760, MS12-063 also resolves four privately disclosed vulnerabilities that are currently not being exploited.”

“When Microsoft issues out-of-cycle patches everyone, including organizations and consumers, should take note,” said Marcus Carey, security researcher at Rapid7. “Microsoft typically doesn’t like to patch out-of-cycle, so the fact that they are indicates that this update is really important and organizations should make it a priority.”

“The timing actually works out since downtime for patches like this are typically scheduled over the weekend,” Carey said. “If organizations can’t apply this patch, they should implement the “Fix It” workaround available at Microsoft Knowledge Base Article 2757760. If organizations aren’t able to apply the patch or the Fix It solution, they should use an alternative browser such as Chrome or Firefox. Everyone should always remember to test patches out before deploying them, since patches can sometimes have adverse effects.”

In related news, Microsoft also announced the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player that were described in Adobe security bulletins APSB12-18 and APSB12-19.

Related: Chinese Gang Targeting Defense Firms With IE Zero-Day

Related: Coordinated Cyber Attacks Hit Chemical and Defense Firms

Related: Cyber Espionage Campaign Targets Oil Companies