Microsoft releases critical updates for Internet Explorer flaws

Microsoft releases critical updates for Internet Explorer flaws

Summary: Microsoft released two eagerly awaited updates for Internet Explorer today, both addressing serious security issues. One covers a zero-day flaw in IE9 and earlier versions, the second updates Flash in Windows 8.

SHARE:
TOPICS: Security, Microsoft
68

Microsoft released two eagerly awaited updates for Internet Explorer today, both addressing serious security issues.

Security update MS12-063 addresses the IE vulnerability described in Security Advisory 2757760, which has already resulted in some targeted zero-day attacks but has not been widely exploited. A “Fix It” tool was released earlier this week to mitigate the problem. This update patches the underlying vulnerability in Internet Explorer versions 6, 7, 8, and 9. (The issue doesn't affect IE 10 in Windows 8.)

The company also released Security Advisory 2755801, which addresses all publicly known issues affecting Adobe Flash Player in Internet Explorer 10 on Windows 8. This release is exactly one month later than Adobe’s release of the same update for other platforms, including Internet Explorer 9 and earlier.

Both updates will be delivered through Automatic Updates or can be manually installed.

flash-player-update-windows-8-0921

The Flash update requires a restart. After you complete the installation, the Adobe Flash Player Find version page should report 11.3.374.7. (For Google Chrome, the current version is 11.3.31.232.) Note that these numbers are different from the 11.4 release from Adobe that is installed as an ActiveX control (in IE9 and earlier) or a plugin (for Firefox).

Microsoft originally told ZDNet and other publications in early September that the Flash update would be available at the end of October, when Windows 8 was officially released. A few days later, a spokesperson announced that the update would be available “shortly.” It took a little over a week to deliver.

See also:

Security experts will be looking carefully at how Microsoft handles Flash updates in the future, now that the Flash Player code is included in Internet Explorer 10 and can’t be removed. If Microsoft is consistently behind Adobe in delivering security updates, it risks exposing Windows 8 customers to the sort of problem that got Apple in big trouble earlier this year. In that OS X fiasco, the Flashback malware infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java software that was included with the operating system and could not be removed.

In its official announcement, Microsoft says it intends to be aggressive about delivering Flash updates:

We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

With respect to Adobe Flash Player in Internet Explorer 10, customers can expect the following:

  • On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing.
  • When the threat landscape requires action outside of Adobe’s normal update cadence, we will also work to align our release schedules. For example, this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release.

Those aren’t hard-and-fast promises, but it is noteworthy that Adobe and Google have managed to coordinate their release schedules so that Chrome (which also contains Flash Player as a component) is updated at the same time as the Adobe release. There’s no reason why Adobe and Microsoft can’t do the same, but only time will tell.

Meanwhile, Microsoft deserves credit for its clear and consistent communication on the issue involving the zero-day exploit associated with Security Advisory 2757760. The company has delivered a steady stream of advisories over the past week, acknowledging the problem, offering a mitigation tool, delivering a one-click Fix-It, and then delivering this patch within a week of the original disclosure.

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

68 comments
Log in or register to join the discussion
  • They did it the hard way

    But they got it right in the end. And as a customer, that's what matters the most.
    Michael Kelly
    • Got it right?!

      Nothing is 'right' about Microsoft or its garbage software.
      tek_heretik
      • Green32.com

        I'm making $86 an hour working from home. I was shocked when my neighbour told me she was averaging $95 but I see how it works now. I feel so much freedom now that I'm my own boss. This is what I do, >>> Green32.comREAD MORE
        JoshuaYoung
    • Yah great they fixed it ..........

      But you still have to wonder WHY that after all these years they still haven't found a way to put out a product that dosen't resemble SWISS CHEESE when it comes to security. When you make BILLIONS & BILLIONS of dollars WHY can't you hire enough people with a higher IQ to get it right in the first place. But we have ED here telling us how lucky we are M$ is taking care of us.........To be that's still BS...

      We can go to the moon and back, but we still have our weekly security hole in IE....go figure.
      Over and Out
      • So, um...

        You realize that this week's update to iOS, the operating system that drives the iPad and iPhone, fixed 197 separate security issues?

        http://www.zdnet.com/apple-provides-197-security-reasons-to-upgrade-to-ios-6-7000004535/

        Or that Chrome 20 fixed 20 security vulnerabilities?

        http://www.zdnet.com/blog/security/chrome-20-fixes-20-security-vulnerabilities/12623

        ALL software that is designed to interact with the Internet has security issues. Deal with it.
        Ed Bott
        • Ed you still didn't answer

          WHY "When you make BILLIONS & BILLIONS of dollars WHY can't you hire enough people with a higher IQ to get it right in the first place."

          Spend the money and quit giving me excuses ....... M$/etc has no problem taking everyones money, now do they?

          That is the reason I do have to deal with it as you say
          Over and Out
          • Expecting the impossible? Enough Said!!!

            To do what you ask of Microsoft, would mean that, their software should have been written perfect from the beginning, and we'd still be using the first version of IE, and the first version of Windows, and the first version of anything that Microsoft has ever written.

            Also, we'd have to look for the perfect hardware to have been designed and produced from the first version. The perfect hardware would have been produced from the beginning, to use the perfect software that was produced from the beginning.

            But, we live in the real world, with 7 or so billion people in it, each with his own opinions and different needs. And within that world, we'd have trillions of different possibilities for things to go wrong or not as we'd like, or we'd like to change them. To produce such a system of perfect hardware and software, would require God-like powers, and, as far as I can tell, there are no perfect humans, not now and not ever.
            adornoe
          • Re:

            "WHY "When you make BILLIONS & BILLIONS of dollars WHY can't you hire enough people with a higher IQ to get it right in the first place." "

            I suppose you apply the same question to Google and Apple, since they make billions too, right?
            dvm
          • The answer is that money can't fix everything.

            WHY 'When you make BILLIONS & BILLIONS of dollars WHY can't you hire enough people with a higher IQ to get it right in the first place.'

            Apple currently has more cash than Microsoft, last I checked, and Google is a pretty huge corporation. Dare I ask the same about them?

            Throwing money at software won't magically fix it.
            CobraA1
          • Ok, we got it.

            Both Google and Apple are not Billions of $ companies, only Microsoft. /sarcasm
            Ram U
          • Solution to all vulnerabilities past, present & future. No updates required

            "WHY "When you make BILLIONS & BILLIONS of dollars WHY can't you hire enough people with a higher IQ to get it right in the first place."

            Spend the money and quit giving me excuses ....... M$/etc has no problem taking everyones money, now do they?"

            It's simple just turn off your Router and all your devices will be safe from any future vulnerability. Or better yet, just turn of all devices accessing the Internet.


            I gather you have never written a simple script or anything with input validation, or error handling. Until you experience a fault, you can only foresee so much.
            mantariz
      • Can't get there from here

        They haven't done it because it isn't possible. There are actually quite a few things that humans strive to do, but never quite achieve because of basic limitations in the human mind. It's not that we lack the technology, it's that no human can simultaneously comprehend all the factors that have to be dealt with in order to fashion a solution.

        Complex software is only one of those. Macroeconomic policy is another. Fashioning new drugs is rapidly turning into a third: too many moving parts operating at once, not enough neurons in anybody's brain to comprehend what's going on.

        Until our new computer overlords arrive, we're stuck with this. Then we'll be stuck with something worse.
        Robert Hahn
        • Of course it is possible

          What isn't possible is to sell a bug free full featured OS that is updated on an annual (or near annual) basis for ~$100 on hardware that is ~$1,000.

          We can choose to use bug free $100 calculators. We can choose to wait 50 years for the privilege of paying $50,000 for a (nearly) bug free computer. Or we can have what we have today. Since the occasional crash or security vulnerability is better than paying $50,000 in 50 years and is better than limiting ourselves to calculator type functionality, we end up with what we have today. It is all about value. The alternatives provide us very little value. The free market has spoken. The PC (I'll include tablets and smartphones) as it is today, warts and all, provides consumers with the best value.
          toddbottom3
        • re

          that say's it pretty well !
          preferred user
        • re cant get there from here

          that says it pretty well .
          preferred user
        • Can't get there for other reasons. too

          @Robert Hahn:

          In the case of macroeconomic policy and development of effective medications that always work the way they're supposed to work with no side effects, it’s true that our brains can't handle the computations. The same is true for other complex systems, such as the weather.

          But there’s a far more fundamental reason we can’t create solutions that have perfect predictability for complex systems---namely, the fact that we don’t have any science that tells us how to handle such things. The science of complex systems is still in its infancy, and even the best efforts of economics, medical science, and meteorology still use hopelessly inadequate models. They are derivatives of the Newtonian paradigm, which treats everything as though it were a machine.

          But global economics, the weather, and human neurochemistry aren’t machines. You pin-pointed the essence of the problem with your statement that there are “too many moving parts operating at once”. That’s exactly correct. There is no generalized solution for the n-body problem. Complex systems are [i]relational[/i] by their very nature. A change in one part affects all other parts, usually in ways we can’t even accurately model, much less predict. That’s why climate change predictions are political fantasy, not fact.

          Computers are a different story. Software and hardware systems can be increasingly [i]complicated[/i] (and they are) without being [i]complex[/i]. Until they can learn (that is, until they can exceed the capabilities of the programs they run), they’re still simple systems. In principle, it should be possible to design machine-based systems that operate perfectly, or at least to design systems that can design such systems. But within the practical economic constraints imposed by the real-world context of millions of users who need software and hardware tools NOW, what’s “possible” isn’t relevant. If it’s not economically feasible, it might as well not be possible.

          Nevertheless, your point is well taken. When machine-based systems become sufficiently complicated that it takes an army of people to maintain the code base, it becomes decreasingly possible for anyone to understand every aspect of the entire system. Even with the best configuration management systems riding herd on the code, error is inevitable.
          slingzenarrowzuvowtrayjissforchin
      • Maybe you should

        rise to the challenge and be the first human being that writes flawless code ?

        As said already, whether you run Windows, OSX or Linux, security vulnerabilities are a fact of life, deal with it, or rise up to that challenge, good luck.
        sjaak327
        • sjaak327 ....its not up to me to get it right

          Everything is rushed to market without the proper testing being done, if they're doing any testing at all...............they use us as field testers to find out / point out all their mistakes and I feel thats BS ....... specially M$ ......when was the last time you counted the patches that have been issued on W-7 since it came out...........its a JOKE to continually put out crappy code and you know it.........coders arn't properly checking their code before releasing it in my eyes ...........everything is to meet a dead line and it's killing the end product...........

          If the Auto Industry took the same attitude as the IT Industry we'd all be dead ....thank god they don't
          Over and Out
          • Auto industry...

            "If the Auto Industry took the same attitude as the IT Industry we'd all be dead ....thank god they don't"

            Well, you're way off base on a few fronts:

            1) The idea that a company like Microsoft would release software without testing is absurd. There aren't many statements that you could have made that would have proven your lack of understanding of the software industry more than this one.

            2) I don't know if you're aware of this or not, but there are far more moving parts within an operating system and a computer than there is in a car. If the auto industry had to deal with the level of complexity that the software industry had to, we wouldn't have new models of cars every year, and compact cars would cost hundreds of thousands of dollars to build.

            3) Have you seen the list of recalls in the past year? I think you're being pretty quick to praise the auto industry for having a better release-time track record than Microsoft.
            daftkey
          • daftkey...I fully understand the software industry

            1) They do rush things to market
            2) They don't fully test all aspect of their software
            3) The Auto industry does has fewer issues per year than the software industry and a auto will most likely be more USABLE for a longer period of time than a software program will.

            (my # 4) The complexity of software as you call it can also be described as bloatware (ten different needless steps/ways to excute the same function) by many as the real problem software related issues. The dumbing down of software is also a huge issue.

            The IT/Sofware industry has never learned one simple premis "TO KEEP IT SIMPLE" now have they?
            Over and Out