Microsoft issues full Internet Explorer zero-day patch

The software giant issued an interim fix last night, but the update is a full patch. “Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” Microsoft said in its security blog. “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.” Customers who installed the fix yesterday will not need to uninstall it in order to apply the full security bulletin.

Security Update MS12-063 addresses one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Understandably, Microsoft has rated the update “critical” for Internet Explorer 6–9 on Windows clients and “moderate” for Internet Explorer 6–9 on Windows servers. Internet Explorer 10 is not affected.

The company also released Security Advisory 2755801 on Friday, to address issues affecting Adobe Flash Player in Internet Explorer 10 on Windows 8. “Microsoft released an update to help protect customers from vulnerabilities affecting Adobe Flash Player in Internet Explorer 10,” said Yunsun Wee, director of Microsoft’s Trustworthy Computing Group. “We are working closely with Adobe to help protect our customers and deliver quality protections that are aligned with Adobe’s s update process.”


What’s Hot on Infosecurity Magazine?