01
May 14

Microsoft Issues Fix for IE Zero-Day, Includes XP Users

Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month.

IEwarning

The rushed patch comes less than five days after the software giant warned users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.

“We have made the decision to issue a security update for Windows XP users,” writes Dustin C. Childs, group manager, response communications at Microsoft. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Microsoft says the majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. Windows users who don’t take advantage of the automatic updates feature of Windows (or who don’t wish to wait around for it to install the patch) can do so by visiting Windows Update.

Tags: , , , , , , ,

117 comments

  1. Does this vulnerability only affect Windows XP users or all users of IE?

    • The vulnerability affects Internet Explorer versions 6 through 11, so it is not limited to people who still use Windows XP.

  2. From the first sentence of the story:

    Microsoft has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer….

    IE9-11 don’t even work on Windows XP.

    • I wish there was a Like button for this reply.

    • I think I’m right in saying that the only exploits observed in the wild have targeted IE 9, 10, 11 – and you’re right: XP can’t run any of those (which makes the claim that this is the start of the XPocalypse look rather OTT).

      But I’m not complaining that XP users (of which I am two) are included in the fix 🙂

    • I don’t use IE so I never looked up system requirements but my office sent out a memo that it only affected Windows XP users and that we had nothing to worry about. I guess our IT heads really have no clue which is scary!

      • Forward your IT department a link to this article. They may have had some other reason to say “affects only XP users,” such as if XP machines are off of their internal auto-update system (WSUS). Sounds like you may be judging without knowing everything.

    • I was thinking the same thing regarding the ALL versions and really liked it for being in bold! LOL

    • PRICELESS reply!!!

    • Stratocaster

      An argument could be made that “IE9-11 don’t even work” just generally speaking.

      • Because IE 1-8 were just peachy? 😛

        It could be shortened to “IE doesn’t work.”

  3. Sterling Augustine

    I wonder what all of the users of Win 98 and Win 2K will do?

    • Personally, I’m going to be upgrading to ME this weekend.

      • Stanley Nelson

        I strongly recommend Windows 7. It is up-to-date, fast, and very reliable, and easy to use.

      • Blasphemer! Windows For Workgroups 3.11 is where it’s at, man. All the joy of 16-bit Winsock with Windows 95s 32-bit disk stack glommed into the mix.

    • You’re jesting, but I look at my web server logs and still see the odd NT, Win2k, and Win98 user agents showing up. Scary.

      • More scary: Those are probably old PC’s they let their kids use, and they probably don’t bother with an antivirus because “there’s nothing important on that machine anyway.”

  4. Stupid Microsoft. They should let XP users burn. Including me. =(

    • I say… A noble deed of Microsoft to include XP users!

      Only mature and professional companies would act like that…

      My compliments.

      Cheers

  5. Just great news from Microsoft exactly for the labor’s day … Let’s update now.

  6. Well this IS a surprise! Hopefully a pleasant one! As usual we can’t thank you enough Brian for keeping us up to snuff! 🙂

  7. David Fraiser

    Interesting. The SSL cert is invalid (actually it’s non-existent). You might want to change the link in the article to the non-SSL site.

    “windowsupdate.microsoft.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown.

    The certificate is only valid for http://www.update.microsoft.com (Error code: sec_error_unknown_issuer)”

  8. Interestingly, clicking on the Windows Update link with a Firefox browser yields a popup window that says “This Connection is Untrusted”. According to the technical details, “windowsupdate.microsoft.com uses an invalid security certificate”. Hmmmmmm.

  9. TheOreganoRouter.onion.it

    I saw this on the Microsoft security bulletin email that the out of band update where for Windows XP. I thought that I was in a twilight zone episode , and that the information couldn’t be right

  10. Can anyone please give the details of this update. I ran an update yesterday KB2961887, but this must be a different one.

    Windows update is giving me NOTHING. The only update it listed was for windows defender(definitions update). Please help. I’m pulling my hair out trying to get notified via auto updates, but so far with mixed results

    • If you are on a corporate system, the updates are controlled by your system admin. Many of them only update once a month or so.

      Also check if you didn’t disable (‘hide’) any other updates. E.g. certain service packs etc as that stops the update train as well.

  11. Fred Sandford

    Be advised that this goes live 1pm EST, or 10am PST as originally announced. Check sooner than that (in your time zone) and nothing will be available. For the GMT-challenged, 1pm EST is -4 GMT.

  12. Hi Brian,

    For the second time in two days I’ve only received auto updates after taking numerous steps that should be unnecessary. It all started after I came to your site and read about the new patch.

    Today I had to do the following to get an update and I’m not even sure it’s the right one.

    Let me emphasize that I used my control panel to navigate to windows update since the link provided gave me a ssl error. And, of course, I rebooted and started with IE.

    Once to windows update, i was informed i had one update only for windows defender definitions.

    So I then took the following steps in IE 11.

    1 Enabled shockwave flash object in the add-on manager.
    2. Unchecked ActiveX filtering under settings/safety.
    3.Unchecked protected mode
    4. Unchecked ‘enhanced protected mode’ under settings/advanced/security
    5 Unchecked ‘Enable 64 bit processes under enhanced protected mode” under settings/advanced/security

    THEN AND ONLY THEN did I get notified of a update and was able to download it. Interestingly enough, I also received another update to Windows defender definitions.

    This, of course, is wrong. I, as well as millions of others, now are the proud owners of a version of IE that has flash embedded(nonremovable-at least by anyone of my capabilities) and yet we aren’t going to receive security updates unless we reverse the course we’ve taken to secure our machines.

    Yes, I have tried to notify MS of this, but apparently no one without a title is going to get feedback. I know how crazy it seems, but it’s really not. This is a Surface pro that has damn few apps installed and all came from the MS store.

    Furthermore, it was purchased from MS and therefore came ‘clean’ without third party crapware. Meaning, I guess, that it’s about as clean an install as you can get.

    AND YET, I am about to go back in and check of all the above items that I had to uncheck to get this patch installed. If that isn’t some form of pre-MS madness setting in, I don’t know what is.

    • James Beatty

      Just checking, chasm22 – and only because you didn’t specifically state it: did you click on the “check for updates” link on the Windows Update screen?

      This isn’t an “auto update” – it isn’t even checked to install by default after you manually force the issue.

      I don’t think your additional steps are necessarily doing you any favors.

    • It is called coincidence. There is no causal relation between your action and whether you got the update. The update is a separate service running completely independent from your Internet Explorer.

      I received the update on all my machines, with all those security settings (and more) in place.

      My guess is that you just have to wait a bit. Remember that Microsoft doesn’t serve the updates themselves but use caching servers from Akamai, which are different per region.

      • “It is called coincidence. There is no causal relation between your action and whether you got the update. ”

        Peter,

        If you had made the same changes, TWICE(as on two separate occasions for two different updates) you would have just muttered what a coincidence. Right?

        So let’s see. I use the same procedure, twice each time,to check windows update. First I go to / control panel/window updates with flash player disabled and all the different things checked that you say you also have checked off. Of course I’m assuming you’re running Win8.1 IE11. Let’s see
        1Flash player disabled in add-ons(Actually its called Shockwave Flash Object but that’s a whole different story)
        2 IE/settings/safety ActiveX filtering enabled
        3 IE/settings/internet options/security/enable protected mode
        4.IE/settings/internet options/advanced/security ‘enable enhanced protected mode’
        5.IE/settings/internet options/advanced/security ‘enable 64 bit processes for enhanced protected mode

        That about covers it for me. But heh,you said you did that and so maybe I’m missing the part about allow updates with these settings, because when I tried to go to control panel/windows update I didn’t receive updates on TWO separate occasions.

        And after TWICE doing the same procedure in reverse, that is unchecking all the above and enabling the flash player, I did get the updates.

        You casually call this fact a coincidence. Kinda like it was just a coincidence Osama bin Laden was DOA. I guess, except not really.

        You’re telling me that twice, just at the times I was making all these changes, somehow the updates showed up on the servers. You’re telling me that if I had waited 8 minutes one time or 12 minutes the next time, I would have gotten the updates anyways. I can’t prove you’re wrong, but given the different times,dates and updates it sure makes it a BIG coincidence, right.? What are the odds. Or are you saying I shouldn’t have made any changes, I should have just waited?
        Does that really sound like good advice, just wait? After all, the update was obviously there for the taking but I should have just waited and hoped?

        And, as I mentioned, it was kind of funny that I got updates for the Windows defender definitions, twice. Once before I made the changes and once after. Both times. As far as all the machines you have gotten updates for with all the settings the same as mine, that’s what I find perplexing. You seem to suggest that it’s a coincidence that immediately after the changes I got updates. Immediately after. So that tells me that it had nothing to do with whatever or whoever Microsoft was using to push them out. The updates were there. Waiting. You act as if making the changes didn’t trigger me getting the updates. Just a coincidence. 8 minutes later one day and 12 minutes later three days later. I make the same changes, I get the updates. But it’s just a coincidence? I’m not trying to make it into a discovery of heartbleed 2, but it wasn’t a coincidence.

        I understand you’re thinking. I think it has been addressed in this thread or another closely related thread(to updates). It’s certainly sobering to explain something like this only to be told “its called a coincidence”. You know what else, I know what it means to be demeaning Peter. Enough said, I hope.

        Basically, what you are telling me is that I could have left all the settings as they were and at some future time I would have received these updates. But what I find a little hard to swallow is why I received these updates immediately after I made these changes.

        I can only offer this as proof. Follow me on this.

        Here is the update I got when I went to control panel/windows update when I had all the different security settings deployed.

        Definition Update for Windows Defender – KB2267602 (Definition 1.173.757.0)

        Installation date: ‎4/‎28/‎2014 2:43 PM

        After enabling flash and unchecking the boxes I mentioned and I mean immediately after since the only reason for any delays is due to my rather slow(3g) internet connection.

        1Security Update for Internet Explorer Flash Player for Windows 8.1 for x64-based Systems (KB2961887)

        Installation date: ‎4/‎28/‎2014 2:55 PM

        Installation status: Succeeded
        2.Update for the English Input Personalization Dictionary – KB2881553 (Version 16.1.878.1)

        Installation date: ‎4/‎28/‎2014 2:55 PM

        Installation status: Succeeded
        3.Definition Update for Windows Defender – KB2267602 (Definition 1.173.788.0)

        Installation date: ‎4/‎28/‎2014 2:55 PM

        Installation status: Succeeded

        Look closely at the time. As soon as I made the changes and went back in I got not one, not two but three more updates.

        Yes I said three updates because even if you look closely at the Windows Defender definition update, you’ll see that while the KB is the same, the definitions are different)

        Same thing, three days later. Control panel/windows update. Flash disabled, all the other precautions taken

        1. Definition Update for Windows Defender – KB2267602 (Definition 1.173.1032.0)

        Installation date: ‎5/‎1/‎2014 11:00 AM

        Installation status: Succeeded

        Next try, because I had read the article on KOS and knew I was missing an update, I unchecked the usual suspects

        1 Definition Update for Windows Defender – KB2267602 (Definition 1.173.1059.0)

        Installation date: ‎5/‎1/‎2014 11:28 AM

        Installation status: Succeeded

        2.Security Update for Internet Explorer 11 for Windows 8.1 for x64-based Systems (KB2964358)

        Installation date: ‎5/‎1/‎2014 11:28 AM

        Installation status: Succeeded

        Notice again that I got a different update for the Windows Defender definitions. And of course I got the update I was looking for. I was looking for it because I had just read the article at KOS, OK.

        BTW, I am using a brand new Surface Pro with Windows 8.1 and IE 11, with the flash player being embedded.

        You’re reply , of course, carries a message that has been discussed before. Experts in the field somehow finding it demeaning? to waste their time on things they perceive as silly. My reasons are simply. If you pay attention to nothing else I say,please pay attention to this.

        I run Chrome as my default browser, so believe me I’m aware of getting automatic updates. I appreciate the effort Google has put into Chrome in that respect and, on a far wider basis, the manner they handle many of the security updates in the Android ecosystem. They’ve done remarkably well with the Play store in that effort to keep many apps and, of course, Chrome for Android as secure as it is. Not perfect for sure, but better than nothing. I like automatic updates that notify you of an update and let you make the final decision. However, for Flash I willing make an exception.

        Here’s the only reason I’ve posted about this. I believe that you won’t get auto updates to flash under IE 11 running under Win8.1 if you have your settings set as I did. I have followed the same procedures carefully twice now. I have made sure not to follow links in articles to this or that. I’ve used the Windows desktop to navigate to updates. I’m pretty sure, especially considering I received the same results after following the same procedures, that it’s not something I’m doing.

        Perhaps if you still think its coincidental, you can tell me how long I should wait for the updates. ESPECIALLY knowing the updates are already there for the taking if you have your machine flash enabled. Perhaps you can tell me that with my machine having flash disabled, what you thing the timeline will be. Because your remark makes it sound like, even though I didn’t get updates with flash disable both times, it was definitely just a coincidence. Twice.

    • When I went to Windows update just now (about 7:30pm EDT), it said I only had optional updates. I checked “check for updates” and KB2964358 came up. I installed it with no problems.

      Previously, I had checked “enhanced protected mode” at the suggestion of this blog. Should I uncheck that now?

      By the way, I have only used IE for a long time. I find Firefox annoying in that I need to learn how to do a lot of things that I already know how to do in IE. I really don’t have the time or the desire to be proficient in two browsers.

      • There’s no reason to turn off enhanced protection, or EMET.

        If you run into problems, that indicates bad software / content which you should complain about and then avoid. If you absolutely can’t avoid something because you must use it, then you can consider disabling the extra protection for a limited time, just to use that bad content — keeping in mind that you are more vulnerable when you do so. It’s kind of like removing rubber gloves / face masks and walking around in an area with a number of infectious diseases – generally a horrible idea, but someone might demand you do it.

  13. No exploit for IE 5?

  14. I have to add for the other readers that even though I’m a rank newb on many issues discussed in KOS, I’m very familiar with the need to reboot after making changes, etc. Furthermore, anyone that isn’t familiar with have a computer running a SSD, well let’s just say a reboot isn’t any slower than a page refresh. I’ve tried to take every precaution to make sure that whatever happening isn’t being caused by me not performing some simple task. Bottom line=this silliness has turned into a serious matter for me and, I believe, a big black eye for MS. Chrome accomplishes the same thing with flash without the need for me to take a single action.

  15. It was years ago but I don’t seem to think that they ever released any security updates for any other version of Windows (95, 98, ME, 2k, etc) that were End of Life.

    Is the XP update only for IE 8? That’s the one way it’d make somewhat sense, seeing as IE 8 could also be installed on Vista and porting the fix to XP wouldn’t really take a ton of work. But then as far as severity, or effort to patch aside- it wasn’t really a major update to those that don’t use IE on XP but instead use Firefox, Chrome, or others. And as long as these alternative browsers decide to support XP then they’ll be a better move for those still using an XP box for whatever reason.

    I don’t get their choice to release an update for XP is what I’m getting at. Grace periods are just going to send mixed messages, especially in the course of all the other exploits we’ll see this year. “That one was bad and we patched it. But these next 6 are REALLY bad and we’re not patching them for XP”

    • If XP were being used by clueless individuals too cheap to update, I could see that.

      But XP is still widely used by corporate clients who are big customers for MS’s other products. Those companies can’t change operating systems, because they have hundreds of thousands of dollars invested in specialized software applications that run on XP. Vista was so bad no one wanted any part of it, so the vendors stayed with XP. A lot of these business applications were just getting their Windows 7 versions out of beta when MS changed to Windows 8.

      If major companies keep having to rebuild their applications to be compatible with whatever operating system of whatever quality Microsoft comes up with, then migrating to Linux is going to start looking like an alternative.

      • “If major companies keep having to rebuild their applications to be compatible with whatever operating system of whatever quality Microsoft comes up with, then migrating to Linux is going to start looking like an alternative.”

        You are kidding, right? I’m no Microsoft sycophant, but they supported XP for WAYYYYYY longer than any linux distributor (and I’m talking about the pros: the Redhats and the SuSEs, not the trendy distro of the year). I don’t recall SuSE off the top of my head, but Redhat’s PAID lifecycle is seven years. Microsoft’s free lifecycle was what…13?

        If any corporate application hasn’t been updated in the 4.5 years since 7 was released the responsible party should be unemployed. Everyone knew this day was coming.

  16. Firefox would not let me, or really, really did not want me to, access windows update through the link provided by Brian.
    It was straightforward in ie, I hope it was safe.
    Moving on to my old xp laptop.

  17. So, here’s what I want to know: Was there really any serious threat?

    Yes, I understand that a serious vulnerability was discovered in IE, and that there was a “limited, targeted attack” against someone or some organization somewhere in the world. How limited was it? FireEye seemed to have the most knowledge and they only say “for many reasons, we will not provide campaign details”. Did anyone else see any type of malicious activity related to this vulnerability? Hopefully FireEye will at some point be able to come out of Top Secret mode and share details of exactly what it is they are aware of.

    Based on the headlines of many news stories in recent days, one would think some kind of major attack was already underway. “Switch browsers now before you are hit!” “DHS says to stop using IE now!” Very alarming. And very overdone.

    I didn’t panic. I didn’t switch browsers. I kept browsing the internet with IE. When the patch showed up a little while ago, I applied it. Was that risky behavior? I think not. I don’t see how this particular vulnerability was any different than the countless other ones we see in a wide range of software each month.

    Maybe the urgency was that this vulnerability was being actively exploited. Except that there is little evidence of any attack activity. FireEye has some details but they won’t say. Everyone else just worked themselves into a frenzy.

    The news media needs to focus on the facts and not hype and sensationalism. Please save the dire warnings for a real threat.

    • Once a specific Web browser / technology / component is identified as vulnerable to a specific class of failure as happened here (IE: VML, Garbage Collection), there are automatic tools which can be run to identify the failure and then working for produce your own exploit isn’t particularly hard — if you’re already in the business of generating exploits.

      I certainly wouldn’t use a browser on the Internet with this published information.

    • Some of us are under attack and even the whiff of a vulnerability sees rabid-rapid action to contain the problem. If you have nothing to lose, then I suggest you stick your head in the sand and just be happy! 🙂

  18. Many, many organizations are still in the process of removing XP from their technology footprint. I’ve noticed many commenters suggesting an XP patch should not have been released as it would do more harm than good in causing organizations to delay removal of XP. I suspect many (all) of those commenters do not work in IT or security in large American enterprises.

    The XP end of life was not a surprise or a secret, all large organizations have been aware and discussing it for years. A plethora of reasons cause it to persist. Some we have some control over, many we have less control over than we would like. Many purpose built systems required the usage of Windows XP, even on new deployments all the way up until late last year. We were buying new PC’s from Dell with XP loaded all the way up until last year. Not because we wanted to, and not because we thought it was a good idea or were ignorant to the coming EOS, but because core software to our business required it with the disclaimer that if we tried to run Windows 7 or other we wouldn’t receive support from the vendor.

    Armchair CIO’s and others would say “well then it’s time to get a new vendor”. That’s easier said than done in many cases – either the vendor is the only guy in the game, or more commonly, the organizations investment in the vendors platform and the hard and opportunity costs involved in switching solutions in some cases could exceed the annual gross profit of the company in question. Bad business on all sides – so we simply have to exert (our sometimes limited) influence to try to get everybody involved with the program.

    Bottom line and said in short – many, many companies are still converting away – this train has already left the station, the last feet dragging vendors are finally on board as it became apparent in early 2014 that no final extension was coming from MS. The release of the patch for XP was a wise move on MS’s part, to give a final element of value to those customers who are still in the process of switching away from XP, vs leaving them out to dry.

  19. There is zero cost to Microsoft as they are supporting XP for large companies and organisations prepared to pay for extended support. In this case they would probably say that the fault was with IE rather than XP. At work they are deploying new Windows 7 machines loaded with IE8

  20. I hear many people who say, “I don’t use IE so I don’t have to worry about the XYZ zero-day.” Please realize that humans aren’t the only users of Web technology on Windows. Most programs that use HTTP/HTTPS on Windows do so using the programmatic components of IE. Although programs (typically) do not casually surf the Web as human users do, their activity does expose a Windows computer and the vulnerabilities of IE to the public Internet. Heck, even a lot of Malware is written to use IE.

    Do you know where your computer is Web surfing without you?

    • I bet the NSA knows where its surfing.

    • Chris Thomas

      For this reason I set XP Internet Properties security zones to HIGH – all four of them. You have confirmed what I strongly suspected.

  21. When this bug appeared, I commented that this was a browser issue, not an OS issue.  Remember that the DOJ file antitrust charges due to IE integration with Windows OS.  After Microsoft resolved the issue, it might be possible that the DOJ put the “… and don’t do it again or else” clause somewhere, which might be use later in the future (even if the OS is unsupported, Microsoft has ownership).  At least is one less bug to deal with the 1/4 of the Windows XP machines universe on the wild.

    • To this day Internet Explorer is hard coded into the operating system – yes you can uninstall it, but an eariler version is left behind and is still functional, although even less secure. Microsoft works around the anti-trust issue by making in easy to get competing browsers in the EU, and (sort of) avoids unfair practices in the US to keep the Feds off its tail.

  22. The workarounds in the MS advisories and bulletins can be good “defense-in-depth” tactics, too. If the workarounds don’t bother me, I’ll keep them. Even with the patch installed.

    I’ve unregistered VGX.dll for good due to this threat.

    For the emergency Flash update earlier this week in advisory 2755801, I’ve added both of the ActiveX killbits for Flash (the I.E. portion of the registry and the portion for Office 2010). No more Flash in I.E.

    And by switching to the HTML5 option on Youtube’s site, I don’t need to keep Flash enabled on Firefox either. I’ve set that plug-in to Never Activate, and prevent any accidental Click-to-play from triggering Flash.

  23. Didn’t the final end of life update for XP turn off automatic updates for safety reasons?

    • I shut automatic updates off on all my clients, because their legacy hardware can’t take the slow down the updater puts on their system. I’ve been encouraging manual updates to any performance minded clients for years. I do know that a nag script is deposited in XP to constantly remind one that it is past support – unless you simply hide that KB in the 1st place.

    • I stopped seeing the nags after the cut-off date, and thought nothing of it.

      When I tried to fetch this patch for XP my system informed me that I lacked the necessary files to perform the update, and offered me the option of downloading and installing those files (which I took :))

      So Microsoft may have done more than just turn off auto-update for XP users as it turned out the lights.

  24. Here’s a list of IE versions and OS with their respective patch. Enjoy!

    thetech-m.blogspot.com/2014/05/microsoft-patch-on-internet-explorer.html

    Like my FB page for more updates!
    https://www.facebook.com/TheTech3Ts

  25. As soon as I got on the computer tonight I saw the yellow button on task bar with this security update for IE8, I do have XP so I ran the update. I was surprised but pleased. I don’t use IE8 anymore nevertheless.

    And I also saw the warning from firefox on the link.

    To me why microsoft had to create all this chaos by ending support for XP.

    Why not create Windows XP second generation since its better then anything since.

    • I suspect it is because the NT system is vastly out of date in technology referring to the filing system and kernel security. I agree with you that a look alike modern operating system would have been a genius step, and if they had made using virtual environments even easier to implement for the uninitiated, so they could run legacy apps, the better still. However for my clients it is more the hardware costs that are keeping them from switching.

    • longshot asked, “Why not create Windows XP second generation since its better then anything since.”

      Or, simply announce that after April 8th, Microsoft was going to begin charging XP users a subscription fee to continue getting security updates — millions of XP users would have gladly opted to pay.

      After all, it usually boils down to an issue of money, doesn’t it?

  26. I installed the update today at work. One computer kept failing to install it. I eventually uninstalled the last successfully-installed Windows patch, then took another (successful) run at Windows Update.

    My surveillance-recording computer didn’t boot successfully after the update, getting stuck at the motherboard’s BIOS screen while trying to detect boot devices. Coincidence at work there, I think the SSD is getting a little tired. I updated to the latest motherboard beta BIOS and it began coming up again. Note to self, budget for a new LGA1155 board soon…

    However, after the patch, all my computers are showing the wrong date on Brian’s blog posts now. It says it’s May 14! Holy time travel, Batman!

    … I kid, I kid! 😉 Brian, are you tired of hearing about the blog dates yet?

  27. ATTENTION Windows 7 Users:

    From: Description of the security update for Internet Explorer for systems that have security update 2929437 installed: May 1, 2014
    ​http://support.microsoft.com/kb/2964358

    Known issues with this security update

    Internet Explorer will crash if you try to install this security update on a Windows 7-based system that does not already have security update 2929437 installed. To avoid this issue, take either of the following actions:
    * Install security update 2929437, and then install security update 2964358. For more information about security update 2929437, click the following article number to view the article in the Microsoft Knowledge Base: http://support.microsoft.com/kb/2929437/
    Description of the security update for Internet Explorer 11 on Windows 7 and Windows Server 2008 R2: April 8, 2014
    * Install security update 2964444 instead of security update 2964358. Security update 2964444 is intended for systems that do not have security update 2929437 installed.

    (Note: It continues to amaze me that Microsoft programmers do not appear to have the skill to write patches that are capable of branching to different subroutines based on which OS it’s run on. 😉

  28. May sound like a stupid question but what about Android cell phones? Will the maker of the phone send an update?

    Thank you

    • Er…IE runs on Android? That’s news to me.

      • Ok, so they run off of a google product browser. Sorry! See I told you it was a stupid question!
        This coming from a non-IT person.

        Sorry to waste your time!

        • Don’t sweat it Stacy, ignorance is not a defect, it is just not knowing. Now when it comes to flash vulnerabilities, and if you are using the flash plugin on a mobile device, then you got something to worry about. Even if you don’t use the plugin, the HTML-5 coding to run flash video would require a browser update – I suspect this will affect mobile devices sooner, rather than later.

          Of course this is rather a separate issue from the one you are asking about, but at least it is somewhat on topic.

  29. This is what happens when I click on the “Windows Update” link using Win 7 with IE 11:

    There is a problem with this website’s security certificate.

    Ironic?

    The security certificate presented by this website was issued for a different website’s address.

    Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.

    We recommend that you close this webpage and do not continue to this website.

    Recommended iconClick here to close this webpage.

    Not recommended iconContinue to this website (not recommended).

    More information More information

  30. “This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.”

    They don’t even have to even do that. Let me explain what I’ve seen in my experience of finding infection root causes: Typically the users at my office are doing their normal job. They’re googling for information they need, or reading news stories to keep up on industry, etc., and more often than not some sort of ad-based system will contain a payload which then redirects to something malicious.

    I wouldn’t call that a “hacked site,” at least not in the traditional sense. The website did exactly what it was supposed to do – load an ad. The problem is that companies are paying for malicious ads – but not all the time, as that would be rather easily detected. I don’t know if we’re just targeted because of our industry, and because we own our own address space and it is very obvious who we are when we access a website, or if I have the tinfoil hat on just too tight, but I do know that you can be doing all the right things, with 4+ layers of security (external botnet filters, hijacked address space filters, application-based proxy filters, IPS, A/V) and still things slip through.

    Even with 100% white-list based filtering of Internet access things get through (of course, that is then because of a hacked website, but still).

    About the best I’ve found you can do is continue to be vigilent, patch often, and monitor and look at all the after-the-fact data you can get your hands on to analyze all your DNS and proxy filter logs. We’re privileged to have access to government data of hacking exploits, and then after the fact we look at all the indicators to see if we had anything matching. Typically when we did find items, we already knew because of other indicators or alarms that had been set off.

    Our next level of filtering is moving to a DMZ-only Internet access with all external email/browsing access done through isolated VDI-based sessions. Short of reverse-infecting a VDI client, this should be pretty bullet-proof.

    • Jason, you might see if Software Restriction Policy will work in your environment. If you set Disallowed as the default, and close loopholes with Path Rules, the typical exploit is going to be thwarted by an inability to execute a payload. Remember the scene where Indiana Jones is facing off against a swordsman doing fancy sword work, and he just shoots him? Yeah 🙂

      SRP: “Nice exploit, that was very creative! *BLAM* Ooops, was that your payload…? Sorry…”