Microsoft patches zero-day Internet Explorer flaw
By Stewart Mitchell
Posted on 14 Jan 2013 at 10:25
Microsoft will release an out-of-band update to fix a critical zero-day flaw in Internet Explorer later today.
Discovered at the end of December, the vulnerability affected IE versions 6, 7 and 8 and allowed hackers run remote code on user machines after infected websites distributed the malware.
The Microsoft issued a temporary fix shortly after the critical flaw was discovered, but the company said a full fix should be released this afternoon, with a webcast to explain the implications and procedures.
According to security experts and Microsoft, admins should waste no time in applying the update with exploits already in the wild.
When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority
"When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble," said security firm Sophos in a blog post.
Microsoft had previously told admins to use the company's Enhanced Mitigation Experience Toolkit to help counter the threat, as well as to deploy "the Microsoft FixIt solution, MSHTML Shim Workaround to prevent the exploitation of this issue".
However, security experts said they had seen evidence that hackers were able to compromise this initial solution.
"There are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft's FixIt," said Sophos. "Metasploit, the vulnerabilities-anyone-can-exploit-for-free product, already has what it calls a browser auto pwn plug-in you can download to exploit this vulnerability yourself."
- Is it worth upgrading a media centre to Windows 8?
- Flickr redesign: is it enough to tempt photographers back?
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software