ID: IRCNE2012091621
Date: 2012-09-21
According to "computerworld", Microsoft today released an emergency patch for Internet Explorer (IE) to stymie active attacks that have been exploiting a bug in the browser, finishing a job it started only Monday.
Today's update, labeled MS12-063, fixes five flaws, including one revealed by a security researcher last weekend that hackers have been using to infect Windows PCs with malware.
Microsoft has published an advisory (on Monday), confirmed the vulnerability and issued a "Fixit," one of its automated configuration tools, to block the known exploits (Wednesday).
Users who have already enabled the shim do not have to uninstall it -- or disable the Fixit -- when they patch today, Microsoft said.
Today's update was rated "critical" by Microsoft, the company's highest threat ranking.
Of the four non-zero-day vulnerabilities, three were limited to IE9, the edition that debuted in March 2011. The fourth impacted only IE7 and IE8. All five vulnerabilities patched by MS12-063 today, including the zero-day, were tagged as critical.
MS12-063 applies to all supported editions of Windows -- XP, Vista and Windows 7 -- and affects IE6, IE7, IE8 and IE9. Only IE10, the browser bundled with Windows 8, is immune.
Friday's "out-of-band" -- security-speak for an emergency update outside the usual monthly Patch Tuesday schedule -- will be the first that Microsoft has released this year and only the second since September 2010. It was also the first emergency patch of an IE zero-day vulnerability since January 2010.
Windows users can obtain MS12-063 via the Microsoft Update and Windows Update services, as well as through the enterprise-grade WSUS (Windows Server Update Services).
- 2