Related Links

Related Stories

Top 5 Stories


Patch Monday – out-of-band Microsoft fix for the IE zero day; Oracle fixes Java

14 January 2013

Out-of-band in this instance means ‘out-of-schedule’. Users will not need to wait for the next official Patch Tuesday in February, but will be updated in the normal fashion via Microsoft Update.

The advance notification issued yesterday for a patch to be pushed out today doesn’t actually specify that it is the same IE zero-day that was discovered early this year and tied to the Elderwood gang (not to be confused with the new more active Java 0-day discussed last week). It merely says that it “addresses a security vulnerability in Internet Explorer.”

Nevertheless, the bulletin addresses a critical vulnerability affecting the same IE versions (6, 7, and 8) affected by the exploit, and it is almost certainly the same thing. Microsoft has already provided a Fix-It and recommended the use of its Enhanced Mitigation Experience Toolkit (EMET) as a temporary fix. “However, there are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft's abovementioned FixIt,” notes Paul Ducklin in the Sophos NakedSecurity blog.

Since this is a critical flaw that is already being actively exploited, it is therefore important to install this patch (or not use IE 6, 7 or 8) as quickly as possible. “If Microsoft's security team is correct,” comments Ross Barrett of Rapid7, “this vulnerability is still seeing only limited exploitation in the wild, but there is no reason to hold off only releasing a fix now that the patch is ready. It's always a race between security teams and malware writers, in this case given the attention this vulnerability has received it likely will not be long before exploitation becomes widespread. Getting a fix out under these circumstances is like immunizing ahead of an outbreak that has already started.”

Ducklin agrees. “By all means, test, digest and deploy. But make this one of those patches you deal with in hours, or in the worst case, days. Not in weeks, and very definitely not in months.”

Meanwhile, Oracle has also acted quickly “to release a fix for the vulnerability (CVE-2013-0422) which as of last week was publicly known to be ‘weaponized’ in widely available black market exploit kits,” comments Barret. “This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately. This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild.”

It is worth noting, however, that Java security expert Adam Gowdiak says the Oracle update still leaves critical flaws unfixed. “We don't dare to tell users that it's safe to enable Java again,” he said.

This article is featured in:
Application Security  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security



hoogie69 says:

16 January 2013

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×