bit-tech.net

Microsoft releases out-of-cycle patch for IE flaw

Microsoft releases out-of-cycle patch for IE flaw

Microsoft has released an out-of-cycle patch for a critical security hole in its Internet Explorer browser, which is being actively exploited to run code on targeted systems.

Microsoft's bad September continues to grow worse, with the company being forced to issue an out-of-cycle patch for a zero-day vulnerability in its Internet Explorer web browser.

Microsoft's September got off to a bad start when the company issued a raft of faulty updates as part of its monthly Patch Tuesday release cycle. While the issues have now been resolved, the company was forced to remove and re-release a total of ten patches - making it the worst Patch Tuesday in a six-month run that has seen only a single month go by without a show-stopping fault resulting in patches being reissued following customer complaints.

Today's admission from the company isn't going to do much to salve its public image, either: Microsoft has confirmed that a flaw in its Internet Explorer web browser is being actively exploited in targeted attacks, and considers the issue serious enough to release an out-of-cycle fix ahead of next month's Patch Tuesday.

The update, which is only available for manual installation and will not be published through Windows Update, is a work-around rather than a true fix for a pretty serious flaw in Microsoft's MSHTML Shim component - which had already been targeted in prior attacks at the start of the year. 'This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type,' explained Microsoft's Dustin Childs in an alert to the security community.

'This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message. Running modern versions of Internet Explorer ensures that customers receive the benefit of additional security features that can help prevent successful attacks,' he added - but while the current targeted attacks are only being pointed at the outdated Internet Explorer 8 and Internet Explorer 9 releases, it is thought the flaw could exist across all versions of IE.

For those who use Internet Explorer, Microsoft's advice is to install the out-of-cycle Fix-It patch to work around the issue until a proper solution can be found. The patch applies to all version of Internet Explorer from IE 6 through to the latest IE 11, although is only designed to resolve the issue with the 32-bit version - the 64-bit version, it would seem, being better protected against the vulnerability.

With Microsoft's recent track record for patches causing problems worse than they solve, however, users would be well advised to test the patch on a virtual machine or similar throw-away system before rolling it out on a wider scale.

23 Comments

Discuss in the forums Reply
Snips 18th September 2013, 11:24 Quote
I don't get it, they've found vulnerabilities, provided solutions and this is somehow a bad thing?

Slow news day?
Corky42 18th September 2013, 11:30 Quote
I would argue this doesn't damage there public image, its good to know they are releasing security related patches as they become aware of them. Although they then go onto to shoot them selves in the foot by not making it available via WU, a system designed to make sure peoples systems are kept up to date.
Gareth Halfacree 18th September 2013, 11:30 Quote
Quote:
Originally Posted by Snips
I don't get it, they've found vulnerabilities, provided solutions and this is somehow a bad thing? Slow news day?
I'd beseech you to read the article before making comments like that. If that's too much to ask, allow me to summarise:
  • Microsoft did not discover the flaw; an independent researcher published it to the CVE.
  • Microsoft is not releasing the patch through Windows Update, leaving those who are not alerted to it through articles like this unprotected until at least next Patch Tuesday in October.
  • Further to the above: the flaw is being actively exploited in the wild.
  • The 'solution' is a workaround, and simply disables the flawed MSHTML shim - which means anything relying on said shim will break.
  • Which is exactly what Microsoft did back in January, when yet another remote code execution vulnerability was found in the MSHTML shim.
  • The targeted attacks in-the-wild so far only look for IE8 and IE9, but the flaw exists from IE6-11 - a massive swathe of vulnerable users.

So, no, not a slow news day - but a very important story.
liratheal 18th September 2013, 12:41 Quote
I don't really use IE, but installed anyway.
Snips 18th September 2013, 13:10 Quote
Gareth, read my comments before making comments like that.
Gareth Halfacree 18th September 2013, 13:14 Quote
Quote:
Originally Posted by Snips
Gareth, read my comments before making comments like that.
Oh, but I do. Every time. Even though I can predict their content with 99% accuracy simply from knowing what I wrote in the article...
Snips 18th September 2013, 13:58 Quote
Is that right? Well try the balanced approach next time and not the "usual" anti-Microsoft reporting you somehow always seem to portray.

Maybe then, you may get comments about the article and not your bias.
Gareth Halfacree 18th September 2013, 14:02 Quote
Quote:
Originally Posted by Snips
Is that right? Well try the balanced approach next time and not the "usual" anti-Microsoft reporting you somehow always seem to portray. Maybe then, you may get comments about the article and not your bias.
My bias? Wow. Perhaps if you weren't so blind to Microsoft's various failings, everyone who doesn't act like it's the second coming wouldn't appear biased to your eyes.

I'd dig out all the stories I've written about the good things Microsoft has done, but let's face it: you're just trolling to waste my time. Get a new schtick, dude - your pro-Microsoft fanboyism got old a long time ago.
forum_user 18th September 2013, 16:06 Quote
Quote:
Originally Posted by Gareth Halfacree
Critical vulnerability being actively exploited.
http://www.bit-tech.net/news/bits/2013/09/18/ms-ie-patch/1

Being actively exploited ... but MS is not releasing the patch to everyone. Just tech geeks who read up on tech news ...

Smells fishy to me.
Snips 18th September 2013, 18:29 Quote
Not at all, we all expect more from Bit-tech and it's unbias reporting. Something clearly forgotten by some.
Gareth Halfacree 18th September 2013, 18:32 Quote
Quote:
Originally Posted by Snips
Not at all, we all expect more from Bit-tech and it's unbias reporting. Something clearly forgotten by some.
Yes. By you, it would seem. Mote, eye, beam, thine own, yadda yadda.

Interesting that you should pop up in Microsoft's defence in *this* thread, too, while being completely absent in the thread about the ten patches it had to withdraw and reissue this month. Or the month before that. Or the month before that. Or the month before that.
SchizoFrog 18th September 2013, 18:39 Quote
OK, here are my opinions on this article and the comments above:

Critical articles and opinions are to be expected from anything as big as Microsoft, the larger you get the bigger the target you become. Often negative articles and comments about such 'big' things are not always a bad thing though as they can highlight often glossed over failings and help identify issues to be rectified. I have no problem with this, I have major problems with articles and comments that say nothing more than 'MS is ****, use something else'.

I am a bit confused by this article though. Not this article itself but why it was even written and deemed worthy as a news point. So I am not a serious OS or Network Admin geek so I may not understand it's importance, but then that should have been explained in the article if it was such, but to my understanding there are nearly always flaws, back doors and 'in-the-wild' vulnerabilities with products such as Windows. It has always been the case and most likely always will be. So why was this particular flaw deemed to be different and important enough to warrant it's own individual story?

As for comments responses... I think Gareth has had a bad day, he doesn't normally bicker like a little girl. However, it is highly annoying and frustrating when news stories and articles only seemed to be followed by the relevant admins for a couple of days or even only a few hours leaving questions to go unanswered from readers in the comments sections. The MOST important thing about a website is the interaction between forum members and the site's admins, I think that is often forgotten in these articles. and too much time is spent elsewhere.

As for a 'slow news day' comment, I have to agree some what. I mean really, how many of this site's readers do you really think will bother with this story? I only came here because I thought it was a continuation of the 'patch Tuesday' article a few days ago and then I read the comments.
I have to be honest as I have often felt like commenting about the articles that appear on Bit-Tech these days but usually end up deleting said comment rather than posting. There is not enough of the old school articles that made Custom PC and Bit-Tech (once it changed names) great. There are far too many of the same articles and reviews, how many reviews do you want to do of very similar cases, fan controllers and almost identical SSD's? Not to mention the so called 'game reviews'. I loved this site and the mag when it was about hardware and what you can do with it. Not how to waste time being anything but constructive. There are dedicated game review websites and magazines for that, it gets worse when most of the games reviewed are sub-par, budget releases or mobile app games. This is not what I come here for and I think the stats prove that others feel the same. Just look at the comment numbers on articles and count how many comments there are these days. The large amount fail to even get double figures and I remember when articles used to hit hundreds of comments.

Anyway, I've had my rant and said my piece. Take it as you will but it was meant as polite and constructive criticism.
Gareth Halfacree 18th September 2013, 18:46 Quote
Quote:
Originally Posted by SchizoFrog
I am a bit confused by this article though. Not this article itself but why it was even written and deemed worthy as a news point. So I am not a serious OS or Network Admin geek so I may not understand it's importance, but then that should have been explained in the article if it was such, but to my understanding there are nearly always flaws, back doors and 'in-the-wild' vulnerabilities with products such as Windows. It has always been the case and most likely always will be. So why was this particular flaw deemed to be different and important enough to warrant it's own individual story?
Two reasons: one, that the flaw is being actively exploited in targeted attacks, something Microsoft has admitted while downplaying the number as being 'limited;' two, that the patch is not being pushed out automatically, meaning that those with IE installed will be vulnerable to said attacks until the proper update is released unless they read an article like mine and run Microsoft's Fix It as liratheal did in the comments upthread.

The flaw, for clarity, is what's known as a zero-day vulnerability. This means the bad guys know about it - as evidenced by the ongoing attacks targeting the flaw - but there is no patch yet released. The workaround is a 'fix' for now, but needs manually installing - something Microsoft isn't going out of its way to inform its customers about. Hence the need for news articles like the above: they get the word out. Don't use IE? You may still need the patch, as it's embedded in the OS pretty deeply - and even if you don't use IE, the chances are good you know someone who does and can pass the message on.
Quote:
Originally Posted by SchizoFrog
As for comments responses... I think Gareth has had a bad day, he doesn't normally bicker like a little girl.
No, but I do have a very limited capacity for dealing with fanboys who accuse me of bias with absolutely no justification.
Quote:
Originally Posted by SchizoFrog
Anyway, I've had my rant and said my piece. Take it as you will but it was meant as polite and constructive criticism.
And it was, indeed taken as such - and I thank you for taking the time to make the post.
Fracture 19th September 2013, 08:35 Quote
Quote:
Originally Posted by SchizoFrog
I am a bit confused by this article though. Not this article itself but why it was even written and deemed worthy as a news point. So I am not a serious OS or Network Admin geek so I may not understand it's importance...

I think your logic is a little flawed here... Just because you read an article that you found didn't really relate or interest you doesn't automatically deem it irrelevant to every single other user on these forums. This is a website for both PC enthusiasts and professionals alike. Its PC related news... How is it irrelevant?
Quote:
Originally Posted by SchizoFrog
As for comments responses... I think Gareth has had a bad day, he doesn't normally bicker like a little girl.

I think the comments were handled pretty well by Gareth. Its rare to find such a level-headed, fact filled and accurate response to a forum user who is clearly trolling and didn't even bother to read the article.
Nexxo 19th September 2013, 08:52 Quote
I agree. Being accused of bias every time you publish some useful information just because it does not paint some company in a glorious light gets tiring pretty soon.

I mean, FFS. These are just brands. I'll stick up for Windows 8 and even own a Windows Phone, but it's not like Microsoft is my mother or something. It's not as if Microsoft, Apple or Google care about us beyond making us buy their stuff. Fanboiism is the most asinine behaviour ever. It's the forum equivalent of people having punch-ups on the football pitch over which club they support.

If you don't think that the article is relevant to you, them don't read it and move on. Other people may find it very important. Another reminder that you are not the centre of the universe.
SchizoFrog 20th September 2013, 03:10 Quote
I just want to defend my comment and opinion about the importance of the original article in response to the latest comments about being 'the centre of the Universe'.

I never suggested that articles should be tailored for my own personal tastes and even mentioned that I may not understand the importance of the subject matter. However, I haven't seen widespread news articles or alerts about this particular threat and wondered why it merited an article of it's own. Just because it is a zero-day threat, out-in-the-wild and being exploited I still don't see it to be a big enough issue of importance. Some people and systems may and will fall victim to this I agree but why is it so different from so many other vulnerabilities? Many of which are also zero-day, out-in-the-wild and being continuously exploited but they don't all get reported in articles like this one. So once again I was wondering why this one stood out and to me, it still doesn't stand out, not warrant a news article of this manner. You only have to look at the comments above, or the lack of to get some idea of how interested people were in reading and discussing this subject. I happen to think that maybe time and effort could have been better spent elsewhere.
I also happen to think that those people who run this website and the magazine may just be interested in other people's opinions about what they do and do not find interesting reading from time to time, as if they didn't they would soon find themselves writing articles that no one read and thus they would soon be out of a job.
It's only my opinion and you are welcome to agree or not as you will. However, should my comments further annoy you then might I suggest you take your own advice and 'move on'? Other people may well be agreeing with my comments too you know.
Gareth Halfacree 20th September 2013, 09:15 Quote
Quote:
Originally Posted by SchizoFrog
However, I haven't seen widespread news articles or alerts about this particular threat and wondered why it merited an article of it's own. Just because it is a zero-day threat, out-in-the-wild and being exploited I still don't see it to be a big enough issue of importance. Some people and systems may and will fall victim to this I agree but why is it so different from so many other vulnerabilities? Many of which are also zero-day, out-in-the-wild and being continuously exploited but they don't all get reported in articles like this one.
This appears to be the root of your confusion: there aren't "many [vulnerabilities] which are also zero-day, out-in-the-wild and being continuously exploited." If there were, nobody would be using Windows for very long.

There are, realistically, three classes of dangerous vulnerabilities: the ones we don't know about, the ones we do know about, and the ones we've fixed. The former is the most dangerous, yet the least widespread: a small portion of ne'er-do-wells know about it and actively exploit it, but they need to keep that knowledge private lest the software company get wind of it and fix the bug. The middle category, into which this flaw fits, is arguably less dangerous but more widespread: the software company knows about it and is working on a fix, but for now the majority of users are vulnerable and, unlike the former category, it's guaranteed that all ne'er-do-wells know at least of its existence and will be actively attempting to use it to exploit targets. The latter, meanwhile, becomes a race against time: if a patch is released, the pool of exploitable targets becomes ever-smaller - although never totally disappears, thanks to users doing inadvisable things like ignoring Windows Update or using outdated versions of the software for which no patch was ever released.

You can't easily write about the vulnerabilities that we don't know about, which means you're left writing about the vulnerabilities we do know about. The biggest issue, then, is the ones that are not yet patched - as with this vulnerability. It leaves customers at-risk, and in the case of this particular vulnerability it's a serious risk: simply visiting a website in any version of IE, or loading an HTML page in various other applications which use the IE engine to render said content, is enough for an attacker to exploit the vulnerability and take total control of your computer. You can protect against this by applying the Fix It patch - but only if you know it exists, which, as I've said upthread, is where the import of this story comes into play.

As far as I'm aware - and please, do feel free to correct me on this if there's something I've missed - there are no other known but unpatched vulnerabilities in any version of Windows or IE that are as serious as this one; if there were, I would have written about those, too.

Does that help to explain things at all?
Nexxo 20th September 2013, 09:21 Quote
Quote:
Originally Posted by SchizoFrog
I just want to defend my comment and opinion about the importance of the original article in response to the latest comments about being 'the centre of the Universe'.

I never suggested that articles should be tailored for my own personal tastes and even mentioned that I may not understand the importance of the subject matter. However, I haven't seen widespread news articles or alerts about this particular threat and wondered why it merited an article of it's own. Just because it is a zero-day threat, out-in-the-wild and being exploited I still don't see it to be a big enough issue of importance. Some people and systems may and will fall victim to this I agree but why is it so different from so many other vulnerabilities? Many of which are also zero-day, out-in-the-wild and being continuously exploited but they don't all get reported in articles like this one. So once again I was wondering why this one stood out and to me, it still doesn't stand out, not warrant a news article of this manner. You only have to look at the comments above, or the lack of to get some idea of how interested people were in reading and discussing this subject. I happen to think that maybe time and effort could have been better spent elsewhere.
I also happen to think that those people who run this website and the magazine may just be interested in other people's opinions about what they do and do not find interesting reading from time to time, as if they didn't they would soon find themselves writing articles that no one read and thus they would soon be out of a job.
It's only my opinion and you are welcome to agree or not as you will. However, should my comments further annoy you then might I suggest you take your own advice and 'move on'? Other people may well be agreeing with my comments too you know.

Reader feedback is important, but only useful if it is constructive. Saying: "Why are you even publishing this? I don't see how this is important" does not tell the Bit-Tech editor anything of what you do find important and would like to read more of. Telling people what not to do does not tell them what to do instead.

Meanwhile this thread has had 485 views, so apparently someone is taking an interest.

As an aside, you have no problem telling Gareth that he bickers like a little girl, but obviously you do not take comments about your post in the same casual spirit. :p If you dish it out, you have to be able to take it too.
forum_user 20th September 2013, 10:50 Quote
Can I temporarily divert your bickering at the staff of BT?

Guys, why if this exploit is so serious and currently being abused, are MS not making the work-around fix important enough to be on Windows Update?
Gareth Halfacree 20th September 2013, 11:00 Quote
Quote:
Originally Posted by forum_user
Guys, why if this exploit is so serious and currently being abused, are MS not making the work-around fix important enough to be on Windows Update?
Because: a) it breaks anything that relies on MSHTML shim functionality; 2) they're working on a proper fix to be released, hopefully, next Patch Tuesday; and iii) have you seen what's been happening with Microsoft's patches the last few months? Five out of six months, they've had to withdraw and reissue patches - and those are the ones that have gone through proper testing. Now imagine how likely to work a rushed-through patch would be, one that's rolled out automatically to all customers. Yeah. Not pretty.

Microsoft's Fix It 'solutions' are never released through Windows Update, as in 99 per cent of cases they simply disable the broken bit of software until it can be properly fixed later.
forum_user 20th September 2013, 17:47 Quote
Thank you!

I understand all four of your points: i) b) and 3)

But if people are at risk from the NSA hackers exploiting these new found exploits, then surely MS should at least warn everyone properly?
Gareth Halfacree 9th October 2013, 10:53 Quote
Quick update: yesterday's Patch Tuesday releases - which, incidentally, fall on the service's tenth anniversary - included a patch for the flaw detailed in this article.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums