Patch Now--Internet Explorer Flaw Under Attack
Have you applied Microsoft’s fixes and updates from the June Patch Tuesday yet? If not, you’re asking for trouble because a vulnerability that was already addressed by Microsoft is being actively exploited in the wild.
Microsoft security bulletin MS12-037 was this month’s cumulative update for Internet Explorer. It is rated as Critical, and addresses 14 separate vulnerabilities that affect every supported version of Internet Explorer in some way.
One vulnerability in particular is more urgent than the rest, though. There are multiple attacks circulating online that target CVE-2012-1875.
The name of the vulnerability is “Same ID Property Remote Code Execution Vulnerability”, which doesn’t really explain much. Microsoft describes the flaw like this: “A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.”
Zero day exploits are a sort of Holy Grail of malware attacks, and they get all of the media glory. But, the reality is that the vast majority of successful malware attacks target vulnerabilities that are known, and for which a patch has already been issued by the vendor--like this one.
Attackers with the right skills and resources might do their own research to identify unique flaws. However, most malware developers aren’t that talented or dedicated. They’re more likely to wait for Microsoft (or any other vendor) to issue a patch because the patch code itself--along with the details about the vulnerability the patch is designed to fix--provide clues attackers can use to pinpoint and target the flaw.
For some larger businesses it makes sense to test patches on a limited number of sample systems to make sure the fix for one problem doesn’t impact mission-critical servers or applications, and end up causing an even bigger problem. Businesses also often delay patches that require a reboot so they can be applied during non-business hours.
But, for consumers, and even most small and medium businesses, Automatic Updates should be enabled in Windows, and for any other software that offers a similar tool. If you’re not using Automatic Updates for some reason, and you haven’t yet downloaded and applied the Patch Tuesday updates yourself, now would be a good time.