The advance notification issued yesterday for a patch to be pushed out today doesn’t actually specify that it is the same IE zero-day that was discovered early this year and tied to the Elderwood gang (not to be confused with the new more active Java 0-day discussed last week). It merely says that it “addresses a security vulnerability in Internet Explorer.”
Nevertheless, the bulletin addresses a critical vulnerability affecting the same IE versions (6, 7, and 8) affected by the exploit, and it is almost certainly the same thing. Microsoft has already provided a Fix-It and recommended the use of its Enhanced Mitigation Experience Toolkit (EMET) as a temporary fix. “However, there are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft's abovementioned FixIt,” notes Paul Ducklin in the Sophos NakedSecurity blog.
Since this is a critical flaw that is already being actively exploited, it is therefore important to install this patch (or not use IE 6, 7 or 8) as quickly as possible. “If Microsoft's security team is correct,” comments Ross Barrett of Rapid7, “this vulnerability is still seeing only limited exploitation in the wild, but there is no reason to hold off only releasing a fix now that the patch is ready. It's always a race between security teams and malware writers, in this case given the attention this vulnerability has received it likely will not be long before exploitation becomes widespread. Getting a fix out under these circumstances is like immunizing ahead of an outbreak that has already started.”
Ducklin agrees. “By all means, test, digest and deploy. But make this one of those patches you deal with in hours, or in the worst case, days. Not in weeks, and very definitely not in months.”
Meanwhile, Oracle has also acted quickly “to release a fix for the vulnerability (CVE-2013-0422) which as of last week was publicly known to be ‘weaponized’ in widely available black market exploit kits,” comments Barret. “This fix is available now as Java 7u11 and anyone who uses Java in their browser should update immediately. This fix changes the default Java browser security settings to require user consent to execute Java applets which are not digitally signed, or are self-signed, which indicates that Oracle has made a minor concession against ease-of-use to try to protect users from the next time a Java vulnerability is exploited in the wild.”
It is worth noting, however, that Java security expert Adam Gowdiak says the Oracle update still leaves critical flaws unfixed. “We don't dare to tell users that it's safe to enable Java again,” he said.