Internet Explorer zero-day exploit is not addressed, but businesses should implement the workaround
Microsoft is issuing two critical fixes on this month’s Patch Tuesday, one of them affecting its most popular operating system — Windows 7 — in conjunction with Windows Server 2008 R2.
That problem allows remote execution of code on unpatched machines without users doing anything, a situation Microsoft always deems critical.
OTHER PATCH NEWS: VMware patches ‘critical’ vulnerability
HELP: 15 (FREE!) security tools you should try
The other critical bulletin addresses a vulnerability that affects the full range of Windows desktop operating systems from Windows XP to Windows 8 as well as Windows Server 2003, 2008, 2008 R2 and 2012, and also leaves the systems open to remote code execution. “It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012,” says Qualys CTO Wolfgang Kandek.
While that’s a relatively light load in terms of numbers of critical warnings, it doesn’t mean it will be easy on IT departments making the patches. “There are a lot of restarts this month and they impact nearly all of the Windows operating systems,” says Paul Henry, security and forensic analyst at Lumension, a security, vulnerability and risk management company.
One of the five bulletins designated important – No. 5 – may end up being the most significant in terms of wiping out the threat, says Alex Horan, senior product manager, CORE Security. The problem is located in Vista SP 2, Server 2008 and Windows 7. “This has the potential for the most long-term issues as it represents an extremely large base of potential targets if it is not rectified properly,” Horan says.
This includes Windows RT, the new power-pinching version of Windows 8 for devices based on ARM processors, which is affected by the vulnerability addressed by the second of the critical bulletins as well as by three others that are ranked important, Henry notes. Users should get accustomed to it, he says. “The system has been patched a few times already since being released late last year, and we expect to see it included in many of this year’s Patch Tuesdays,” he says.
None of the bulletins this month directly address a zero-day vulnerability found in the wild over the weekend in fully patched versions of Internet Explorer 6, 7 and 8. The flaw allows attackers to gain control of affected machines. The attack comes from malicious Web sites containing content that exploits the vulnerability in visiting browsers, Microsoft says.
BACKGROUND: Microsoft issues quick fix for critical zero-day hole in IE
The company has issued a workaround but not a patch, and IT departments should make implementing the workaround their top priority, Henry says.
It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory.
— Andrew Storms, director of security operations for nCircle
It would be surprising if Microsoft had developed the IE patch already, says Andrew Storms, director of security operations for nCircle. “It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory,” he says.
However, it is possible that one of this month’s patches will repair operating-system vulnerabilities the IE attack could exploit, says Henry. With the details Microsoft has released so far it’s impossible to tell. “If the browser is just a path to an underlying vulnerability in the operating system, then this issue will likely be fixed by one of the patches. If the vulnerability is exclusive to the browser, on the other hand, then this is still something to watch out for,” Henry says.