Microsoft to ship emergency IE patch to thwart active attacks

Microsoft to ship emergency IE patch to thwart active attacks

Summary: Redmond will release a critical out-of-band Internet Explorer update to help stop targeted attacks in the wild.

SHARE:
TOPICS: Security
23

Microsoft has announced plans to ship a critical out-of-band Internet Explorer update tomorrow (Friday, September 21) with fixes for a dangerous browser vulnerability.

The emergency fix comes a week after news emerged that a zero-day flaw in the browser was being exploited in targeted attacks.

The vulnerability affects all versions of the browser up to Internet Explorer 9.  The newest IE version 10 is not affected by this issue.

The raw details:

"A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Microsoft insists the in-the-wild attacks only affect "a small number" of Windows users but warned that there is a legitimate risk of these attacks expanding beyond specific targets.

The company has also released a Fix it tool that provides a temporary fix for users worried about the attacks.  The Fit it is described as "an easy, one-click solution that will help protect your computer right away.  It will not affect your ability to browse the web, and it does not require a reboot of your computer."

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

23 comments
Log in or register to join the discussion
  • Just Dump IE

    I did a long time ago for obvious reasons. If this is not obvious enough, then you may be oblivious...
    Splork
    • not only IE

      just dump that Windoze crap and switch to much better platforms like Mac and Linux
      shellcodes_coder
  • @Dork ^

    http://www.theverge.com/2012/9/19/3358964/is-chrome-really-that-much-more-secure-than-internet-explorer
    sagec
    • Couldn't find the "Reply" button?

      Who said anything about Chrome?

      Oh, you did...

      Well you sure left out a number of alternatives but you're so smart that you probably knew that.
      Splork
  • Does not require a reboot?

    But how is this possible? We keep getting told that IE is embedded in the kernel.

    Huh.

    "in the context of the current user within Internet Explorer"

    And we are constantly told by all the Apple and Linux fanbois that exploits don't matter if they are run in the context of the current user.

    Huh.

    Kudos to MS for reacting quickly and patching this (Linux gets kudos too, they react the fastest of them all). Boo and hiss to Apple for sitting on patches for months at a time. They just admitted that iOS 6 fixes 197 vulnerabilities, some allowing remote code execution. They didn't wait a month or 2 months, they waited a year to patch these. Boo hiss.
    toddbottom3
    • Kernel??

      Find me *one* instance where Microsoft said IE was "embedded in the kernel." I dare you.

      iexplore.exe is a user-mode app built on shared DLLs that can be used by other user-mode apps. If none of those DLLs are in use, of course it can be updated without rebooting.
      PB_z
    • Sarcasm?

      On second read... Maybe the snarkiness re: the kernel is sarcasm aimed at other IE bashers and not aimed at MS... I can't really tell. :)
      PB_z
    • This has been there for 6 years

      You mindless Microsoft troll. It took 6 years to fix it, and you complain if Apple takes a month?
      Troll Hunter J
  • Microsoft to ship emergency IE patch to thwart active attacks

    It was the right thing to do by Microsoft even if its a small number of users that were affected. Once patched we won't be hearing any more of this.
    Loverock Davidson-
    • is it

      because a small number of users use IE or because ie 10 isn't affected... Not to say users affected are IE 7, 8 & 9 which makes up a large segment of windows users.
      Anthony E
  • Who cares?

    I don't use Windoze cause I have switched to the world's best OS--OS X
    shellcodes_coder
    • lol

      ok, have fun with OS X. when apple decides to release the next version, they can tell you about the 259 vulnerabilities that existed in OS X while you were happily bouncing around the internet without a security concern in the world.
      archangel127
      • As oppose to the 2,500 vulnerabilities that exist

        In Windows 7? or the 2,450 in Vista, or the 25,000 in xp?
        Troll Hunter J
        • D is for Dumb @ $ $...

          psssst... thats you...

          at least microsoft has the decency to tell you about the 2,500 vulnerabilities that exist and tries to patch them in a timely fashion, rather than wait until the next version is out and then tell you, so you know how screwed you were while you were using the old program. or is that their way of getting you to switch to the next version? hmmm... with apple phan-boys its not easy to tell.
          archangel127
          • Really, who uses Microsoft any more?

            I haven't used it in 11 years. It's sort of having to sell itself down the food chain, with an ever diminishing audience.

            Five years from now, or possibly sooner, "Microsoft will be smaller than Microsoft, as Linus Torvalds said in a 2000 CNN interview.

            http://www.youtube.com/watch?v=7V7okgYPVLE
            Joe.Smetona
          • Really, how far do I have to go to see someone using an Android phone?

            900.000 activations per day.

            http://www.youtube.com/watch?v=KFKxlYNfT_o
            Joe.Smetona
          • Actuall the above is outdated information.

            It's actually 1,300,000 Android activations per day.

            People are getting away from using Internet Explorer in mobile devices. As they become familiar with Firefox and Chrome on mobile, they are more likely to use ti on Windows devices instead of IE.
            Joe.Smetona
        • Your post is providing proof the MS doesn't check it's source code.

          Apple may not be perfect, but it has taken a sharp right turn into a proprietary corner. This hasn't helped their security. However, they are still light years ahead of MS and Linux is the best bet for security.

          I have pointed out many times that because of the proliferation of anti-virus products, and a majority of non-discriminating users, they don't have to spend the time, money and manpower to produce secure source code. They rely on the ambiguity of the compiled source code to "hide the needle in the haystack".

          But with today's technology, keeping things hidden becomes difficult compared to 10 or 20 years ago.

          If you ever used Mutek black box software you are aware of what I'm talking about.
          Joe.Smetona
  • I do not care

    I've already used IE to download Firefox. I do not need it any more.
    Although, thanks to Microsoft for providing patch for those tribals who have buried themselves under the Rock and do not know of any other browser.
    adeekshith
    • And yet

      Even if you wisely choose to not use it, you have to maintain it. Because microsoft welded it to the OS.
      Troll Hunter J