Microsoft rushed out a full patch for five separate vulnerabilities affecting its Internet Explorer browser, one of which was publicly disclosed while four were privately reported to Microsoft.
“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” Microsoft stated in its security bulletin on the issue. “An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user.”
The flaws affected multiple versions of IE including IE 6, 7, 8 and 9. IE 10, which is currently only available for Windows 8, is not affected by the flaws.
“Today we released a security update to address the Internet Explorer issue impacting a small number of customers,” said Yunsun Wee, director, Trustworthy Computing Group. “While attacks have been limited, for increased protection customers should apply the update as soon as possible if they do not have automatic updates enabled.”
All five of the flaws deal with use-after-free condition errors including OnMove, Event Listener, Layout Use, cloneNode and execCommand functions. In a use-after-free flaw, memory space that had been allocated for legitimate use is abused by an attacker after the legitimate use has been exhausted and freed up.
Three of the five flaws were privately reported by HP TippingPoint’s Zero Day Initiative (ZDI), while another was reported to Microsoft by Verisign’s iDefence Labs. Both ZDI and iDefence pay researchers for vulnerability information that is then responsibly disclosed to affected vendors.
The out-of-band patch follows one of the smallest Microsoft Patch Tuesday releases in years. For the September 2012 Patch Tuesday, Microsoft only fixed two flaws. The September Patch Tuesday did not include any IE flaws. In 2012 Microsoft has moved to patching IE on a monthly basis, which is faster than the bi-monthly approach of prior years.
The low patch count in September led some experts to wonder if Microsoft had missed something. As it turns out, they did.
Yet despite the fact that Microsoft did not have an IE update in September’s Patch Tuesday, Andrew Storms, director of security operations for nCircle praised Microsoft’s quick response. “Microsoft had to respond very quickly to this bug,” Storms said. “In addition to the serious security threats it posed to their customers, Internet Explorer’s market share is at risk.”
Storms added that many security pundits and organizations have been telling users to switch browsers until a patch is available. That said, he noted that IE zero day flaws have been rare, with the last one in December of 2011.
“The good news is that zero days are becoming far less frequent across all Microsoft products,” Storms said. “Microsoft’s ability to go from advisory to patch release so quickly demonstrates their commitment to providing customers with a secure computing environment.”