Internet Explorer security updates released [September 2012]
A 0-day vulnerability affecting all versions of Microsoft Internet Explorer except version 10 on all supported Microsoft operating systems was revealed recently. Microsoft, aware of limited attacks targeting the vulnerability, promised to release an out of band patch for the vulnerability to protect Internet Explorer users from exploits making use of it.
Internet Explorer users have to visit a specially prepared website where the attack is carried out on. A successful attack may give the attacker the same user rights as the user working locally on the computer. It became known that different types of attacks were carried out of which some dropped a trojan on the system.
Internet Explorer users can mitigate the issue by installing Microsoft's Enhanced Mitigation Experience Toolkit and configuring it to protect Internet Explorer from exploits. Other options that Microsoft suggested to customers was to change the security zone of the Internet and Intranet to high.
A Fix It has been released yesterday that patches the vulnerability on Windows systems, with the promise to release a full patch today.The promised patch has now been released by Microsoft. Windows users can either use the operating system's built-in Windows Update tool to check for the patch and install it on the system, or download the patch from Microsoft's Download Center instead once it is released there.
This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers. Internet Explorer 10 is not affected. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The PC needs to be restarted once the update has been downloaded and installed on the system to apply it fully. You find additional information about the security update on the Security Bulletin page on Microsoft.com.
Microsoft in addition has released an update for the integrated Flash Player in Internet Explorer 10 on Windows 8 that is also fixing security vulnerabilities. The update is available via Windows Update or on Microsoft's Download Center.
Here it is available for Windows Server 2012, the Windows Server 2012 Release Candidate, the Windows 8 RTM release, and the Windows 8 Release Preview.
Advertisement