Microsoft released two eagerly awaited updates for Internet Explorer today, both addressing serious security issues.
Security update MS12-063 addresses the IE vulnerability described in Security Advisory 2757760, which has already resulted in some targeted zero-day attacks but has not been widely exploited. A “Fix It” tool was to mitigate the problem. This update patches the underlying vulnerability in Internet Explorer versions 6, 7, 8, and 9. (The issue doesn't affect IE 10 in Windows 8.)
The company also released Security Advisory 2755801, which addresses all publicly known issues affecting Adobe Flash Player in Internet Explorer 10 on Windows 8. This release is exactly one month later than Adobe’s release of the same update for other platforms, including Internet Explorer 9 and earlier.
Both updates will be delivered through Automatic Updates or can be manually installed.
The Flash update requires a restart. After you complete the installation, the Adobe Flash Player Find version page should report 11.3.374.7. (For Google Chrome, the current version is 18.104.22.168.) Note that these numbers are different from the 11.4 release from Adobe that is installed as an ActiveX control (in IE9 and earlier) or a plugin (for Firefox).
Microsoft originally told ZDNet and other publications in early September that the Flash update would be available at the end of October, when Windows 8 was officially released. A few days later, a spokesperson announced that the update would be available “shortly.” It took a little over a week to deliver.
Security experts will be looking carefully at how Microsoft handles Flash updates in the future, now that the Flash Player code is included in Internet Explorer 10 and can’t be removed. If Microsoft is consistently behind Adobe in delivering security updates, it risks exposing Windows 8 customers to the sort of problem that got Apple in big trouble earlier this year. In that OS X fiasco, the Flashback malware infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java software that was included with the operating system and could not be removed.
In its official announcement, Microsoft says it intends to be aggressive about delivering Flash updates:
We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.
With respect to Adobe Flash Player in Internet Explorer 10, customers can expect the following:
- On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing.
- When the threat landscape requires action outside of Adobe’s normal update cadence, we will also work to align our release schedules. For example, this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release.
Those aren’t hard-and-fast promises, but it is noteworthy that Adobe and Google have managed to coordinate their release schedules so that Chrome (which also contains Flash Player as a component) is updated at the same time as the Adobe release. There’s no reason why Adobe and Microsoft can’t do the same, but only time will tell.
Meanwhile, Microsoft deserves credit for its clear and consistent communication on the issue involving the zero-day exploit associated with Security Advisory 2757760. The company has delivered a steady stream of advisories over the past week, acknowledging the problem, offering a mitigation tool, delivering a one-click Fix-It, and then delivering this patch within a week of the original disclosure.