Late on Sunday, Microsoft announced it would be releasing an emergency patch for Internet Explorer to fix a security hole used to breach Windows computers in targeted attacks. On Monday, as promised, the company shipped the update, which all Windows XP users and below should install immediately.
Here’s Microsoft’s guidance (more details in Microsoft Security Advisory 2794220):
The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we strongly encourage you to apply this update as quickly as possible.
[I]f you previously applied the Fix it offered through the advisory, you do not need to uninstall it before applying the security update released today. However, the Fix it is no longer needed after the security update is installed, so we are recommending that you uninstall it after you have applied the update to your system.
The reason we say Windows Vista, Windows 7, and Windows 8 users don’t have to bother with this patch is simple: IE9 and IE10 are not affected. Windows 8 comes with the latter, Windows 7 with the former, and Windows Vista users should all upgrade to the former.
The IE zero-day flaw first came to light late last month after security firm FireEye detailed that the Council on Foreign Relations (CFR) had been hacked, and was hosting malicious content as early as December 21. Security researcher Eric Romang found that microturbine systems producer Capstone Turbine was also a victim since at least December 18. After that, Avast let us know that multiples sites around the world had been targeted as well, and then the reports just kept flooding in as other security firms dug deeper.
Microsoft responded by issuing a security advisory on December 29 (a Saturday!) and then followed up the Monday (December 31) with a temporary one-click “Fix it” tool. Running was supposed to prevent the vulnerability in IE6, IE7, and IE8 from being used for code execution, without affecting the user’s ability to browse the Web.
On January 8, the first Patch Tuesday of the New Year, Microsoft did not release a patch for the flaw, leading to speculation on whether users would end up having to wait till February. Thankfully, that did not happen, though it’s not clear what exactly spurred Microsoft to quicken its pace.
When it released the temporary “Fix it” solution, Microsoft said it had “observed only a few attempts to exploit this issue” but nothing widespread. We noted at the time that Microsoft was monitoring the Web to see if the exploit starts being used more broadly (beyond targeted attacks), and only then would the company likely rush out a patch.
The other possibility is that Microsoft’s Fix it solution simply wasn’t good enough. Exodus Intelligence security researchers claimed they had figured out how to bypass it; Microsoft told TNW at the time it was aware of the claim and reached out to the group for more information.
We have contacted Microsoft to see what spurred the company to release a patch before the next Patch Tuesday. The company did note on Monday that it has “seen only a limited number of attacks through an issue in Internet Explorer 6-8, but the potential exists that more customers could be affected” but didn’t go into further detail. We will update this article if we hear back with more.
Whatever the reason, old IE versions can now be patched. Meanwhile, it’s great to see new IE versions were safe all along.
Update at 2:00PM EST: “On Jan. 14, 2013, we released a security update to fully address the issue described by Security Advisory 2794220,” Dustin Childs, group manager of Microsoft Trustworthy Computing, told TNW. “While the impact has been limited, for increased protection customers should apply the update as soon as possible if they do not have automatic updates enabled.” In other words, Microsoft finished testing the patch and deemed it safer to get it out than to sit on it any longer.
Image credit: Miguel Saavedra