Internet Explorer users should be happy to hear that the current crop of known vulnerabilities affecting the browser have been plugged. Microsoft issued a 27MB patch for five vulnerabilities in IE7, 8 and 9 including the zero day flaw we mentioned last week. Additionally a separate update was rolled out to Windows 8 users with IE10 patching up an Adobe Flash vulnerability.
Internet Explorer 6, 7, 8 and 9.
A few days ago a critical “Remote Code Execution” security flaw was discovered in versions of IE prior to IE10. A computer security expert, Eric Romang, spotted an unpatched “zero day” vulnerability in Internet Explorer versions 6, 7, 8 and 9. The flaw was such that simply browsing a website made with malicious purpose could infect your PC. The vulnerability was detailed in Microsoft Security Advisory 2757760. The advisory detailed a temporary work around to the problem which was quite convoluted and not something you would expect less computer literate users to confidently implement. Thus the German government and a McAfee employee both basically advised users to simply use another browser until a proper update arrived.
Microsoft promised a “one click, full strength fix” and it has now appeared. The fix comes in the form of the MS12-063 update. This 27MB patch fixes the zero day vulnerability we heard about last week and also four others not yet exploited in the wild. Yunsun Wee, Director, Microsoft Trustworthy Computing, said “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible,” on the TechNet Security Blog.
Windows 8 and Internet Explorer 10
Early Windows 8 adopters, myself included, were vulnerable to malware attacks which exploit known Flash plugin vulnerabilities, until this weekend. Adobe updated the Flash plugin on 21st August, but as Windows 8’s IE10 has Flash built-in, it is left up to Microsoft to provide updates for IE10’s Flash component. The 21st August patches fixed up serious “Priority 1” vulnerabilities. Microsoft’s initial answer about the timeframe for releasing an update to Flash/IE10 via Windows Update was “in the GA timeframe”. Many people believed that would mean a patch would come along when Windows 8 was generally available (GA) on 26th October. Microsoft’s prodding by ZDNet seems to have caused fingers to be pulled out. A patch for IE10's vulnerable Flash component, which had left the “desktop version of IE10 wide open”, is now available. My Windows 8 IE10 was automatically updated yesterday.