Emergency patch released for Internet Explorer zero-day flaw

News by Dan Raywood

Microsoft released update MS12-063 to address the zero-day vulnerability in Internet Explorer on Friday afternoon.

Microsoft released update MS12-063 to address the zero-day vulnerability in Internet Explorer on Friday afternoon.

Affecting versions 9 and earlier of Internet Explorer, Yunsun Wee, director of Microsoft Trustworthy Computing said that MS12-063 also resolves four privately disclosed vulnerabilities that were not being exploited.

Wee said: “The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. For those manually updating, we encourage you to apply this update as quickly as possible.”


Wolfgang Kandek, CTO of Qualys, said: “Interestingly in the bulleti,n Microsoft credits TippingPoint for reporting CVE-2012-4969. We recommend installing the update as soon as possible, even if you are not running one of the configurations that are currently being exploited, i.e. Internet Explorer plus Flash or version Java v1.6. Attackers are surely working on way to exploit the vulnerability directly without the help of plug-ins.” 

Andrew Storms, director of security operations for nCircle, said: “Microsoft had to respond very quickly to this bug. In addition to the serious security threats it posed to their customers, Internet Explorer's market share is at risk. Many security pundits and organizations have been telling users to switch browsers until a patch is available. I'm sure that got the attention of a lot of Microsoft executives.

“Microsoft's ability to go from advisory to patch release so quickly demonstrates their commitment to providing customers with a secure computing environment. Earlier this year, Microsoft stated that they had enough resources to deliver an IE patch every month if necessary. Those additional resources certainly helped them deliver this patch in record time.”

Gartner's Jake MacDonald, said: “Microsoft's motivation to quickly release the patch out of band was affected by calls from various enterprises and governments to ban the use of IE until the issue was resolved.

“What can we learn from this incident? This is not the first time this has happened on Internet Explorer and it will not be the last. Google Chrome has had them. So has Firefox. When will we learn? The answer isn't to switch browsers, the answer is to standardise on more than one browser.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews