Asia's Source for Enterprise Network Knowledge

Thursday, April 24th, 2014

Information security management

Microsoft patches new IE vulnerability

Microsoft on Wednesday released a temporary fix for an Internet Explorer vulnerability affecting most versions of Windows, as security vendors debated the risk of infection by exploits found on the web.

Microsoft said the "one-click" fix would have to be installed manually, but would not require a system reboot or affect a person's ability to brows the Web. On Sept. 21, Microsoft planned to push out a permanent patch to Windows users through the operating system's automatic update feature.

The patch will fix the latest publicly disclosed vulnerability, as well as four other critical flaws, said Yunsun Wee, director of Microsoft's Trustworthy Computing unit.

Security vendors disagree on the threat level of the known vulnerability discovered over the weekend. Sophos raised the level to "high," one notch below "critical." The flaw, in IE versions 6 through 9, enables a hacker to install software capable of commandeering a computer.
Sophos chose high for now, because an exploit for the vulnerability, known as CVE-2012-4969, had not been added to Blackhole and other popular underground tools used by hackers. "If the prevalence increases, we will likely move to critical," said Chester Wisniewski, a senior security adviser for Sophos.

Rather than wait for more exploits of the flaw, Rapid7 and FireEye rated the vulnerability as critical and highly critical, respectively. The highest ratings were warranted because the number of exploits on the Web was growing and IE accounts for a third to more than half of the browser market. The share varies by tracking firm.

"There are many users at risk, so it's definitely highly critical," said Atif Mushtaq, a security researcher at FireEye.