Security Advisor

Glaring Omission in First Patch Tuesday of the Year

The recently discovered IE zero-day vulnerability has been overlooked by this month's Microsoft security update.

What's most interesting about January's Microsoft security update was not the two "critical" and five "important" fixes, but for what wasn't there -- an ironclad solution for a recently revealed Internet Explorer zero-day vulnerability.

The vulnerability, which was revealed by the Calif-based security firm FireEye in the last week of 2012, could allow anyone with the right know-how and loose moral fiber to hijack your system and insert malicious code due to how IE accesses deleted memory.

For those running the latest versions of IE, you're safe -- this issue only concerns IE 6,7 and 8.

Springing into action, Microsoft issued a security advisory on the flaw, which, while not providing a clear-cut solution, did offer a workaround in the form of a Microsoft Fix it.

The problem was that this workaround really didn't fix the issue, security firm Exodus Intelligence found:

"After posting our analysis of the current 0day in Internet Explorer which was used in a 'watering hole' style attack hosted on the Council for Foreign Relations Web site, we decided to take a look at the Fix It patch made available by Microsoft to address the vulnerability," the company said in a blog post. "After less than a day of reverse engineering, we found that we were able to bypass the fix and compromise a fully-patched system with a variation of the exploit we developed earlier this week."

The good news is that, while this zero-day vulnerability is a real threat, hackers have yet to start deploying attacks based on it.

Microsoft has yet to comment on why a bulletin wasn't able to be issued this past Tuesday, nor when a fix should be expected.

I'm hoping that Microsoft goes ahead and pushes out an out-of-band patch as soon as possible. Because a month is a long time to wait for a patch for such a serious issue and a long time to wait to hope that attackers won't start utilizing such a vulnerability.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

  • The Future of Office 365 Pricing

    With a raft of new Office 365 features in the pipeline, Microsoft also seems ready to change the way it bills its subscribers. Will it replicate Azure's pay-per-use model, or will it look like something else entirely?

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.