September 19, 2012

Microsoft today released a stopgap fix for a critical security flaw in most versions of Internet Explorer that hackers have been exploiting to break into Windows systems. The company said it expects to issue an official patch (MS12-063) for the vulnerability on Friday, Sept. 21.

The company released a “fix it” tool, available from this link, designed to blunt the threat of attack on this flaw for users of IE 7, 8 and 9. In a blog post, Microsoft’s Yunsun Wee said the one-click solution should not affect users’ ability to browse the Web, and it does not require the reboot of your computer. Users should not need to uninstall the fix to apply the full security patch when Microsoft releases it.

I’m glad to see Microsoft take this step. The company keeps downplaying the threat, stating that “there have been an extremely limited number of attacks,” against that this flaw and that “the vast majority of Internet Explorer users have not been impacted.” Nevertheless, as I noted in previous stories this week, a reliable exploit for this vulnerability has already been rolled into free, easy-to-use attack tools, so IE users should not delay in applying this fix-it tool.

For more information on how to harden IE against attacks, see Internet Explorer Users, Please Read This.


20 thoughts on “Microsoft Issues Stopgap Fix for IE 0-Day Flaw

  1. Uzzi

    Thanks Brian for the pressure on the topic and for keeping Microsoft’s users informed. 😎

  2. 3g

    you are smart… you are reading this…. try linux. try mac osx. try Firefox try chrome. be different. its ok to patch software exploits. but please don’t forget to try something new. You may like it. open minds builds a safer world

    1. Jerry

      I am an ex-msftie. I have been really disappointed with IE8 and IE9. So earlier this year, I put Chrome on my 4 computers. There was a short learning curve.

      Chrome is faster, updates automatically, and I like its features, like the cached bookmarks.

      I really came to value Chrome when the latest Java fiasco came about. I did the easy 2-step disabling of Java which Brian suggested (Disabled Java plug-in in settings/content and JavaScript in setttings/content). Now, when a site asks me to enable Java, I can decide whether or not to enable it. I can modify javascript site exceptions at settings/content/manage exceptions. Chrome gives me a lot more control than IE.

      I still have IE9 on my machines, so I will run the fix-it.

      1. Chris

        Interesting, I downloaded Chrome two weeks ago, and I’ve only used it a couple of times because I dislike it so much after using IE9 – I had downloaded the beta version when it was released. Chrome seems cluttered.

        I think IE9 is cleaner, and has a more organic feel than Chrome, plus I love the pictures. I love the security features for IE9, because I have other users that will click on anything, including a brother with severe mental limitations. (I removed Java a while ago, and I haven’t needed it for anything.)

        I’ll keep Chrome as a backup, but I’m not impressed.

        1. Jerry

          Chris, I was a performance analyst at msft. I consider IE9 to be a memory hog. To me, Chrome’s smaller footprint makes sense performance-wise. If you like IE9 better, then be my guest.

          There are features, such as the cached bookmarks, that I really like. There are some bugs, such as when Chrome loses network connection and occasionally cannot recover. The residual chrome.exe process won’t die, even when I try to kill it with ProcExplorer.

          I like the auto-update feature (which I can block with Vipre IS 2012 firewall HIPS). I like the way they integrate Flash into the auto-update.

          All in all, I like Chrome.

  3. rick

    The advisory and ‘fix it’ page explicitly states that the work around only addresses the 32-bit version of IE. Why would a fix for 64-bit IE also not be released?

    >>For computers that are running 64-bit operating >>systems, the following Fix it solution only applies to >>32-bit versions of Internet Explorer.

  4. ted

    The fix is to stop using IE for external sites. It is not worth the risks.

  5. Phoenix

    And while you are installing Fixit you can update your Flash Player as well!

    1. Dirgster

      As always, thanks for keeping us safe out there, Brian!

      And Phoenix, thanks for the update reminder for Flash Player! May I add that there is also an update for Adobe Shockwave Player, the newest version being 11.6.7.r637 at http://get.adobe.com/shockwave/

  6. Sterling

    You didn’t responded to my question (not that you needed to) but thanks for the heads up on the FixIt!

    I wonder why FixIt tools are released via Windows Update? Most people would go there instead of some page on microsoft.com

    1. Sterling

      BTW, do I run the FixIt even if it’s for 32-bit systems? Why didn’t MS release a FixIt for 64-bit machines? Only the former version of IE can be made the default browser, but 64-bit machines have 2 versions of IE: 32-bit and 64-bit.

  7. JimV

    I believe that 64-bit versions of the Windows 7 OS flavors have both 32-bit and 64-bit versions of IE installed, so the FixIt patch is advisable even if it only addresses the 32-bit version.

    I had no problems with the patch installation on 5 of my 6 machines, but it wouldn’t install on a Vista Ultimate SP2 32-bit machine just as an earlier FixIt patch wouldn’t — could never get that resolved, so like before I’ll just have to wait until tomorrow for the out-of-band update to resolve the IE flaw for that computer.

    1. SeymourB

      Eh? Windows 7 shipped with IE 8 (though I believe SP1 includes IE9).

      Are you absolutely sure you have builds with IE 7? Because you can run IE 8 in a mode where it’s virtually identical to IE 7 (switch Browser Mode to IE7 and Document Mode to IE7). But it’s still IE8 and security advisories for IE8 should apply.

      In short, the reason W7 & W2K8 isn’t included under IE7 is because, if you went out of your way to install IE7 on W7 and managed to hack it in, you get to deal with supporting it.

  8. meh

    Not a great way to address the issue, tens of millions of users with the browser and they ask them please please install a patch…

    Eventually it will probably be baked in but the whole series of articles about this issue has smacked of a poorly handled response to a major scandal – how many corporate or non news reading users is microsoft really expecting will do this? I’d be surprised if even 10% of their total client base ends up doing any of these measures.

    1. SeymourB

      They released a patch for it today, and I rolled the Fixit out through Group Policy on Wednesday to all the desktops I’m responsible for… if companies didn’t do the same, I feel sorry for the schmuck who’ll get blamed for not having done it.

      1. meh

        I saw that later on. I still stand by my original statement, it is a piss poor way to foster security to ask like Droopy for a hundred million users to update something on their own.

        Android suffers from a similar problem where updates are available but wait around on users or vendors to get around to the update, and as a result the vast majority are running insecure and outdated versions.

        I strongly believe if you leave the responsibility for security up to the end user you can’t complain when they mess it up. Murphy’s law or some such.

        1. SeymourB

          So Microsoft is supposed to send out a legion of employees to every Windows desktop in the world and force the end user to install an update? What about users on desktops which the admin has blocked their ability to install updates, what then?

          Android is a whole other ballgame with phone companies dropping the ball again and again. They’re like power companies caught flat-footed by security holes and not able to understand why they can’t just push out product and never issue updates for it. The world is changing and their business models have to change, but of course they fight it tooth and nail.

          While Microsoft did release this update in a timely manner and gave everyone a workaround ahead of time, I wish they had offered the workaround earlier and hadn’t done the usual spin doctoring to claim it’s not a big deal. But that’s Microsoft – they’re more and more a marketing company now than a technology company, most of what they produce is a little bit of tech underneath a load of frothy spin.

Comments are closed.