Microsoft has rolled out two software patches; one is designed to close vulnerabilities in Internet Explorer versions 7, 8 and 9 that leaves the popular browser susceptible to a remote code execution. The other is intended to update protection from similar exploits for Adobe Flash Player in IE 10 on Windows 8.
“Microsoft has a monthly cadence for issuing patches, and anytime they come forward with something that is not regularly scheduled, you know that it involves an important threat,” said Marcus Carey, security researcher at Rapid7. “I’m recommending that administrators test the patches in a development environment before rolling them out to make sure that they don’t cause unforeseen issues, but assuming that they pass that testing process, they should move on this immediately.”
Individuals who have enabled Automatic Updates do not need to take additional action.
Microsoft on Wednesday issued a temporary “Fix-it” to mitigate the IE vulnerability, and Microsoft says that anyone who has installed the “Fix-it” can apply the permanent patch on top of the temporary patch without having to uninstall the temporary one.
“Keep in mind that a ‘Fix-it’ is similar to a bandage, while the permanent patch fixes the root cause of the problem,” added Carey.
Although Microsoft maintains that the Internet Explorer vulnerability impacts only a “small number of users,” it is also known that the exploit has been loaded into Metasploit and similar testing kits, thereby making it available to a wider range of black-hat hackers, as well as their white-hat counterparts.
The attack typically begins with a malicious website that determines which version of IE the host system is running. It then loads additional software to perform a heap spray and load an iframe. Protect.html is then loaded to trigger the vulnerability, at which point Poison Ivy is downloaded. A successful exploit leads to the ability to execute remote code.
The IE patch also resolves four privately disclosed vulnerabilities that are currently not being exploited, according to Microsoft.
Meanwhile, the company has also released a security patch for Flash Player when used in Internet Explorer 10 on Windows 8. “We are working closely with Adobe to help protect our customers and deliver quality protections that are aligned with Adobe’s s update process,” said Yunsun Wee, director of Microsoft’s Trustworthy Computing Group, in a prepared statement.
Security researchers are advising IT administrators and channel partners to move forward with the updates as quickly as possible.