Out-of-Cycle IE Patch Mends Zero Day Vulnerability

January 17, 2013 by Corey Nachreiner 3 Comments

Summary:

  • This vulnerability affects: Internet Explorer 6 through 8 (9 and 10 are not affected)
  • How an attacker exploits it: Usually, by enticing one of your users to visit a malicious web page
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patch immediately, or let Windows Automatic Update do it for you

Exposure:

In a previous post, we warned you of a zero day “use after free” vulnerability that affected Internet Explorer (IE) 6 through 8. By luring one of your users to a web site containing malicious code, a remote attacker could exploit the vulnerability to execute code on your computer, with your privileges  As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer. At the time, Microsoft hadn’t fixed this newly discovered flaw, but had released a FixIt that could mitigate its risk.

This week, Microsoft released an out-of-cycle security bulletin containing a full patch for this issue. Attackers are still exploiting this flaw in the wild, so it poses a significant risk. If you use IE 6, 7, or 8, you should  patch IE immediately.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s IE security bulletin.

For All WatchGuard Users:

WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. Nonetheless, we still recommend you install Microsoft’s IE update to completely protect yourself from this flaw.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.

Security Updates
, , ,

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.
View all posts by Corey Nachreiner

Trackbacks/Pingbacks

  1. WatchGuard Security Week in Review: Episode 48 – 0day Updates | WatchGuard Security Center - January 19, 2013

    [...] Microsoft releases out-of-cycle patch for IE - WGSC [...]
  2. Microsoft Piles on Patches Next Tuesday | WatchGuard Security Center - February 7, 2013

    [...] the middle of last month, Microsoft released an out-of-cycle IE update to fix a flaw attackers were leveraging in the wild. It appears that update didn’t fix [...]
  3. Two IE Bulletins Double the Browser Updates | WatchGuard Security Center - February 12, 2013

    [...] after free” vulnerabilities similar to the ones Microsoft fixed with last month’s out-0f-cycle IE bulletin.  By luring one of your users to a web site containing malicious code, a remote attacker can [...]

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,114 other followers

%d bloggers like this: