Microsoft to patch zero-day IE bug now under attack
Microsoft today said it will ship eight security updates next week to patch critical vulnerabilities in Windows and Internet Explorer (IE), with the one aimed at IE plugging the hole attackers have been exploiting for months.
“The Critical update for Internet Explorer will be a cumulative update which will address the publicly disclosed issue described in Security Advisory 2887505,” confirmed Dustin Childs on the Microsoft Security Response Center (MSRC) blog today.
Microsoft will release next week’s security updates on Oct. 8 around 1 p.m. ET.
Security experts identified the IE update as the one to deploy first, citing the fact that one of the vulnerabilities has been used by cybercriminals in targeted attacks against users in Japan and Taiwan.
“IE is always top of the list,” said Andrew Storms, director of DevOps at cloud security vendor CloudPassage, in an interview today.
On Sept. 17, Microsoft confirmed that hackers were exploiting a critical unpatched vulnerability in Internet Explorer 8 (IE8) and Internet Explorer 9 (IE9). The bug, however, existed in all versions of the browser, including the 12-year-old IE6 and the newest IE11.
Over the next two weeks, security companies reported that attacks had been aimed at Japanese and Taiwanese organizations since July. And earlier this week, exploit code went public as a working module was added to the open-source Metasploit penetration framework. Researchers predicted that the Metasploit appearance would result in an increase in attacksas less-capable hackers copied the code and added it to their weaponized toolkits.
“Once it went into Metasploit, I anticipated an early release of a patch by Microsoft,” said Storms today. “Obviously the patch is done, but Microsoft’s and its partners’ telemetry must have shown that there were no reasons to go out-of-band.”
Historically, Microsoft has issued “out-of-band” updates—those outside the normal monthly release schedule—only when it believes large numbers of its customers are at risk. The company has never publicly disclosed how it decides when to ship an out-of-band security update.
Early Patch Tuesday this month
The early date of October’s Patch Tuesday—always the second Tuesday of the month—may have played a part in Microsoft’s decision to hold the update and not go out-of-band, Storms said.
The IE update was just one of four rated “critical” by Microsoft. The remaining three critical updates were all aimed at Windows, including one that applied to the newest Windows 8, Windows RT, Windows 8.1, and Windows RT 8.1, according to Microsoft’s advanced notification distributed today.
Experts recommended that customers install the Windows updates as soon as possible after their release. “Bulletins 2 and 3 are through the stack and might end up rating more attention than the IE update,” warned Storms.
Microsoft said Bulletin 3 did not affect Windows 8.1 or Windows RT 8.1, but that Bulletin 2 did.
The other four updates will patch vulnerabilities in Excel, other pieces of Office, the SharePoint collaboration server software and Silverlight, a media format Microsoft seems to have discarded or at least isn’t interested in developing further.
Because the Office-related vulnerabilities were ranked as “important” even though Microsoft said hackers could exploit them to plant malware on customers’ PCs, Storms said it was probable that any attack code required considerable user interaction to work, such as downloading files, opening shared folders or clicking through multiple warnings.
“Being exploited via a drive-by is not going to happen,” said Storms, referring to the most dangerous attacks, which only require a user to visit a malicious website to trigger exploits.