PWN2OWN IE flaw fixed too as Microsoft applauded for acting fast
Microsoft has proved the doubters wrong by pulling together a full patch for a zero-day vulnerability being used in attacks on Internet Explorer 8 users in time for its monthly update next week.
Patch Tuesday includes ten bulletins addressing 33 unique vulnerabilities, two of which are critical, including the one affecting Internet Explorer 8. That flaw was used in an attack involving a breach of the US government’s Department of Labor website.
Microsoft had already issued a one-click “Fix it” to give IT teams a way of ensuring IE8 exploits using the vulnerability won’t work, whilst a patch was in the works. The patch was confirmed in Microsoft’s advance notification advisory.
Many hadn’t expected the tech titan to deliver a full fix so quickly. “That’s record time turn around speed for Microsoft and will be sweet music to everyone’s ears,” said Andrew Storms, director of security operations at Tripwire.
The other critical bulletin fixes a critical remote code execution vulnerability discovered during the PWN2OWN competition at CanSecWest earlier this year, affecting IE8 and 9.
The remaining bulletins are rated as important, and include a spoofing issue affecting Windows, from XP through Windows RT and Windows 8. There is a trend towards more “important” updates, according to analysts.
“Microsoft is continuing to dig deeper into their code base to uncover lower level vulnerabilities,” added Paul Henry, Security and Forensic Analyst with Lumension.
“This is good news and I believe the trend toward higher numbers of important bulletins will continue given Microsoft’s apparent commitment to proactively discovering and patching security issues in their code.”
Cops, Villains and Victims: Try our IT Law quiz!