Microsoft today shipped an emergency update for Internet Explorer (IE) to stymie attacks that have been occurring since at least Dec. 7.
The "out-of-band" update -- the label for a security fix outside a vendor's normal schedule -- was expected by experts, who last week predicted Microsoft would issue a fix for the IE flaw before the next Patch Tuesday on Feb. 12.
One of those experts congratulated Microsoft on making even emergency updates boring.
"It's as ordinary as only Microsoft could make an [out-of-band] release ordinary," said Andrew Storms, director of security operations at nCircle Security, in an interview via instant messaging. "While it's rare they go out of band, their idea of emergency is still calm and to the letter of the process."
And that, said Storms, is a good thing. "So much about managing risk [in the enterprise] is about not losing your head and getting caught up in the FUD (fear, uncertainty and doubt)," Storms added. "Microsoft knows how to keep things on a cool and calm pace. They recognized the threat, made a plan, issued mitigation efforts and eventually released an out-of-band. All that within a short time frame. Seems like a classic example of how to run incident response."
Today's MS13-008 update patches a single critical vulnerability in IE6, IE7 and IE8, plugging a hole acknowledged by Microsoft on Dec. 29 after security firms said the website of the Council on Foreign Relations (CFR), a noted U.S. foreign policy think tank, was hosting attack code targeting IE8.
Since then, researchers have found evidence of attacks as far back as Dec. 7 and monitored other domains that have conducted similar drive-bys.
Shortly after it warned customers of ongoing attacks, Microsoft released an automated "Fixit" tool to block exploits; recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), another anti-exploit utility; or, if possible, upgrade to IE9 or IE10, neither of which contain the vulnerability.
However, Exodus Intelligence, a company composed of several researchers who once worked at HP TippingPoint and its Zero Day Initiative bug-bounty program, claimed that the Fixit's and EMET's protections could be circumvented. And Windows XP customers were unable to upgrade from IE8, since Microsoft has barred them from running IE9 or IE10.
Because Microsoft patched only the one zero-day vulnerability, said Storms, it's probable that next month's Patch Tuesday will include a wider-ranging IE update. "We do need to remember that its very likely we will still have a regular IE update in February," Storms said. "So just as soon as we are done getting this bad boy distributed, there will be another update waiting."
One possible sticking point with today's emergency patch is that it is not a cumulative update, or one that includes all past IE patches, as is the norm for IE. Users must also apply last month's MS12-077 to be up-to-date, and according to Microsoft, to avoid problems down the road.
"Customers who have not installed the latest cumulative security update for Internet Explorer [MS12-077] may experience compatibility issues after installing the MS13-008 update," Monday's security bulletin stated.
Today's out-of-band update was the first since September, and only the fourth since September 2010.
Windows users can obtain MS13-008 via the Microsoft Update and Windows Update services, as well as through the enterprise-oriented WSUS (Windows Server Update Services).
