Microsoft hustles, patches IE to ward off increasing attacks
"Let's call it five days from advisory to patch," said Andrew Storms, director of security operations at nCircle Security. "I'd like to see anybody pull that off."
The so-called "zero-day" vulnerability -- meaning it was leveraged by attackers before Microsoft was aware of the bug, much less able to patch it -- surfaced six days ago. Since then, Microsoft has published an advisory (on Monday), confirmed the vulnerability and issued a "Fixit," one of its automated configuration tools, to block the known exploits (Wednesday).
The Fixit relied on a tactic Microsoft first deployed in January 2011, when it used a "shim," or application compatibility workaround, to thwart then-circulating attacks against IE.
Then, as in the recent Fixit, Microsoft utilized the Application Compatibility Toolkit, included with Windows since XP, to modify the core library of IE -- a DLL, or Dynamic-Link library, named "Mshtml.dll," that contains the rendering engine -- in memory each time the browser ran.
Users who have already enabled the shim do not have to uninstall it -- or disable the Fixit -- when they patch today, Microsoft said.
Today's update was rated "critical" by Microsoft, the company's highest threat ranking.
Of the four non-zero-day vulnerabilities, three were limited to IE9, the edition that debuted in March 2011. The fourth impacted only IE7 and IE8. All five vulnerabilities patched by MS12-063 today, including the zero-day, were tagged as critical.
Security experts said that Microsoft had this update -- sans the patch for the zero-day -- already ready, and failing the hustle to fix the exploited vulnerability, it would have been amongst those delivered next Patch Tuesday, Oct. 9.
"What we're seeing is next month's patch," said Storms. "Given that the four others were all responsibly disclosed, they don't present that much of a threat." Storms also called the other patched bugs "par for the course" for IE.
MS12-063 applies to all supported editions of Windows -- XP, Vista and Windows 7 -- and affects IE6, IE7, IE8 and IE9. Only IE10, the browser bundled with Windows 8, is immune.
Friday's "out-of-band" -- security-speak for an emergency update outside the usual monthly Patch Tuesday schedule -- will be the first that Microsoft has released this year and only the second since September 2010. It was also the first emergency patch of an IE zero-day vulnerability since January 2010, when Microsoft fixed a flaw exploited by the "Aurora" Trojan horse.
Aurora was notable because of its targets: Hackers broke into Google's network, and those of other Western companies, in late 2009 and early 2010 by exploiting a zero-day bug in IE6. Google accused Chinese hackers of the attacks, a charge that prompted the search giant to threaten a shutdown of its Chinese operations.
Because IE10 was not affected by the recent zero-day vulnerability, Storms suspected that Microsoft may have known of the flaw before it publicly surfaced. That would go a long ways in explaining the speed with which it fixed the bug.
"On one hand, it may show just what they can do in a limited time after saying they had increased resources of the IE security team," said Storms of the Microsoft announcement in July. "Or, since we know it was fixed in IE10, they may have had the background work already done [on other editions]. Unless they come out and tell us, though, we'll never know [which is accurate]."
Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade WSUS (Windows Server Update Services).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is email@example.com.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.