September 21, 2012

Microsoft has released an emergency update for Internet Explorer that fixes at least five vulnerabilities in the default Web browser on Windows, including a zero-day flaw that miscreants have been using to break into vulnerable systems.

The patch, MS12-063, is available through Windows Update or via Automatic Update. If you installed the stopgap “fix it” tool that Microsoft released earlier this week to blunt the threat from the zero-day bug, you need not reverse or remove that fix it before applying this update. The vulnerability resides in IE 7, 8, and 9, on nearly all supported versions of Windows, apart from certain installations of Windows Server 2008 and Windows Server 2012.

Separately, Microsoft issued an update for vulnerabilities in Adobe Flash Player in Internet Explorer 10 on all supported versions of Windows 8 and Windows Server 2012. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10. Adobe addressed these in two separate Flash updates last month, including a fix for Flash zero-day that has been under active attack.


11 thoughts on “Microsoft Fixes Zero-Day, Four Other Flaws in IE

  1. Jerry

    Brian, I have noticed that your site is running an ad for a Kevin Mitnick course. That leaves me with a vague, queasy feeling. Do you have a take on this ad?

    1. brian krebs

      I realize he is a controversial figure. On the other hand, I’m a huge proponent of security awareness training, so I’m happy to promote good efforts toward that end. It’s hard to think of someone more qualified, since most attacks these days involve some kind of social engineering.

  2. Nance

    This “fix” absolutely broke my IE. I’m running Vista and IE8. Just dead-in-the-water broke. Wheels spin and nothing happens until it dies. I’m using Firefox to post this.

    1. Rick Zeman

      That’s probably the best way to “fix” IE…make it non-functional.

    2. JimboC

      Hi Nance,

      This is in complete contrast to my experience with this update. I have loaded it on 7 installations of Windows (ranging from XP SP3 32 bit with IE 8, Vista Ultimate 64 bit SP2 with IE 9 and Windows Ultimate 7 64 bit SP1 with IE 9) with no issues.

      Windows Vista supports IE 9, I would first suggest installing that using Windows Update. Here is a support article that explains how to check for Windows Updates:

      http://windows.microsoft.com/en-US/windows-vista/Install-Windows-updates

      Internet Explorer 9 should be among the list of updates available.
      If you wish to stay with IE 8 or are still encountering issues after installing IE 9, I would suggest a reset of Internet Explorer, please follow the steps to reset IE in the following Microsoft Support Article:

      http://support.microsoft.com/kb/318378/en-us

      If you are still encountering any issues, please run the Internet Explorer Automated Repair Tool available from the following link:

      http://support.microsoft.com/mats/ie_performance_and_safety/en-us

      Finally, I would suggest checking Windows for corrupted system files and repairing them using the System File Checker. The steps below explain how to do this:

      ———————————————-
      The following steps do not require you to insert the Windows Vista or Windows 7 installation DVD to restore uncorrupted files to your computer.

      1. Press Start, type cmd in the search box of the Windows start menu.

      2. A black icon with the word cmd beside it will appear at the top of the Start menu.

      3. Right click this icon and choose “Run As Administrator” from the menu that appears. Click Yes or enter your administrator password to continue if UAC (User Account Control) is enabled. A black Command Prompt window will appear.

      4. In this Command Prompt window, type sfc /scannow

      5. Press Enter

      6. Please wait for the process to complete. Please restart your computer once this process has completed.

      For further information, please refer to the knowledge base article linked to below.

      http://support.microsoft.com/kb/929833/en-us
      ———————————————-

      If you require any further assistance, please let me know or contact Microsoft for technical support.

      Please note that since this update caused the issues with Internet Explorer to begin happening, you should not be charged for technical support. Microsoft provides free support for issues caused by security updates.

      Please quote the knowledge base article number of the update that has caused the issue for you. This Internet Explorer out of band security update is kb2744842.

      You can contact Microsoft Support from the following link:

      http://support.microsoft.com/select/?target=assistance

      Please note that while I am familiar with troubleshooting Windows issues (I also use this knowledge for my job), I am NOT a Microsoft employee.

      I hope this information is of assistance to you. Thank you.

  3. Rabid Howler Monkey

    Microsoft appeared to be pretty quick responding to this latest Internet Explorer zero-day. I, for one, was impressed. First, the recommendation to install and configure EMET for IE. Followed by a fix it tool and, then, the patch.

    Was this apparent quickness a result of Microsoft having been informed of the zero-day by another party prior to Eric Romang? In fact, Microsoft credited an anonymous researcher working with HP’s Tipping Point Zero Day Initiative (ZDI) for the vulnerability discovery. According to Eric Romang’s blog, ZDI likely reported this vulnerability to Microsoft anywhere from a month to well over a year before Eric Romang himself did. More here:

    http://eromang.zataz.com/2012/09/21/microsoft-internet-explorer-0day-reported-by-zdi-to-microsoft/

    And how did the miscreants get their mitts on the IE zero-day which they then used to craft an exploit? Independent discovery of the zero-day? Or, perhaps, through purchase from a third party? Some believe that the zero-day might have been reversed engineered from signatures in ZDI’s intrusion prevention system (IPS):

    http://erratasec.blogspot.com/2012/09/icymi-0day-leaks-from-ips.html

    With zero-days, IPS signatures precede the patch issued by the organization responsible for the software in question. And if the miscreants have access to ZDI’s IPS …

Comments are closed.