Microsoft issues fix for IE zero day

Microsoft issues fix for IE zero day

Summary: [UPDATE] An emergency out-of-band update was released today for the bug in Internet Explorer being exploited in the wild. Windows XP was patched in spite of being past its service life.


UPDATE: On Thursday, Microsoft released an update to address the zero day vulnerability recently disclosed in all versions of Internet Explorer. Windows XP is listed as among the affected platforms, in spite of its support period ending weeks ago.

Adrienne Hall, General Manager, Microsoft Trustworthy Computing stated "[T]he security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers."

Users with Automatic Updates enabled do not have to do anything, although running Windows Update will apply the fix immediately.

In a blog entry, Hall explains Microsoft's approach, which mostly is to urge users to move on from Windows XP. The company decided to move quickly when they were made aware of this vulnerability and to patch Windows XP because of the proximity to its end of support period.

Further information on the update may be found at KB2964358. Among the advice there, IE will crash if you install the update on a Windows 7 system whch does not have KB2929437 installed. If you use Windows Update these determinations and appropriate installations will be made automatically. Otherwise, follow the instructions in KB2964358

[As the screen shot below demonstrates, the Windows XP update was deployed by Microsoft. We successfully installed it on a test system.]


Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • o.0

    They're issuing it for XP as well? I just... I don't even...
    • Of Course.....

      This is a patch for Internet Explorer, not the Operating System.

      If they don't release the patch for XP users, then Microsoft admits that IE is part of the operating system, which would violate the Antitrust laws in Europe. Remember when they got in trouble for including IE with Windows there?
      • So you dont think...

        ...some files are shared between IE and the OS?
        One does not have to be a part of the other in order to share resources.
        Flash/IE may just be the channel to allow exploit.
        • IE/OS line

          I don't get the impression that he thinks IE and Windows are separate--in fact, many people have come to believe precisely the opposite.

          I think the whole patching IE thing may be a bit of a technicality here; they're not patching XP, but rather Internet Explorer, and since five other versions come under the aegis of support*, what's one more? (it helps that a browser is much simpler to patch than an OS)

          The real test of Microsoft's resolve is yet to come--one major reason they have given to step up is that some multi-version bugs would not be patched in XP anymore, and many exploits would likely target the newly-exposed XP. If such a bug were to become apparent, and Microsoft still patched XP, then they would have some explaining to do.

          *All but one of which were introduced or otherwise made available on still-supported versions of Windows.
          Third of Five
        • Well....

          You can completely remove Internet Explorer without harming the OS.

          Now that is not to say they don't share some files, but really this does show that they are separate products.

          But bottom line is IE does not equal Windows and they should have separate support cycles.
      • MS always said IE was part of the OS

        Your "history" is confused. Microsoft always argued that IE was part of the OS, because its components are used by applications and other system components. They don't have to "admit" that - it's exactly what they've always argued.

        Anti-trust regulators forced them to "unbundle" it because other browser makers claimed including a free, default, browser with the OS was unfair. What they did to comply was to hide IE from the user (e.g. remove it from the start menu) when it is "uninstalled", but virtually all its components remain in place - and need to be patched, even if the user normally uses another browser.
      • But

        none of the versions of IE on XP are currently supported.
      • I understand the logic of that.

        Of course, Microsoft can never do anything right, even when it's right. Why am I not surprised that this is yet another excuse to dump on Microsoft?

        There are plenty of good reasons for criticizing Microsoft. This isn't one of them.
    • MS will issue a fix for IE 8, but only to the corporations/governments

      that paid for XP extended support. Joe Boredom sitting in his den will get nothing.
      • Joe Boredom gets the update.

        "Users with Automatic Updates enabled do not have to do anything, although running Windows Update will apply the fix immediately."
  • Excellent

    Well done!
  • The road to hell is paved with gold,,,

    I'll believe it when I see the proof and not before.
    • I believe you're mixing metaphors...

      but point taken. You distrust MS.

      Rather silly though, given their predominant tendency to issue a 'no comment'. Going public with a very firmly worded commitment to support would be the height of hubris if they didn't intend to follow through.
  • May or may not require a reboot

    Getting mixed results on if this update requires a reboot.
    • Re;May or may not require a reboot

      Ran the update on a Windows XP and a Windows 7 system.
      The XP system required a reboot, the Windows 7 did not.
      • Reboot...

        I ran it on an Win 8.1 and a Win 7 system and both required a re-boot. Checking for XP patch now...
        • No reboot required

          Updated two other Windows 7 systems. Windows 7 Home and Windows 7 Ultimate.
          Both did not require a reboot.
      • Re: The XP system required a reboot, the Windows 7 did not.

        On my Win 7 64bit laptop, the install went thru and rebooted the computer..So it may happen if you have it set to install updates on auto...

    • Requiring a reboot often depends on the circumstances

      Reboot is generally needed if the component being updated is currently in use on the system. That often depends on what tasks are active on the computer at the time. You can minimise the likelihood of needing a reboot by closing all other programs (especially browser windows) when running the update.
      • Sometimes...

        The reboot needed flag might already be up when you apply the IE update which at the end just checks the flag and announces a reboot needed.
        Rann Xeroxx