January 14, 2013, 4:54 PM — Microsoft today shipped an emergency update for Internet Explorer (IE) to stymie attacks that have been occurring since at least Dec. 7.
The "out-of-band" update -- the label for a security fix outside a vendor's normal schedule -- was expected by experts, who last week predicted Microsoft would issue a fix for the IE flaw before the next Patch Tuesday on Feb. 12.
One of those experts congratulated Microsoft on making even emergency updates boring.
"It's as ordinary as only Microsoft could make an [out-of-band] release ordinary," said Andrew Storms, director of security operations at nCircle Security, in an interview via instant messaging. "While it's rare they go out of band, their idea of emergency is still calm and to the letter of the process."
And that, said Storms, is a good thing. "So much about managing risk [in the enterprise] is about not losing your head and getting caught up in the FUD (fear, uncertainty and doubt)," Storms added. "Microsoft knows how to keep things on a cool and calm pace. They recognized the threat, made a plan, issued mitigation efforts and eventually released an out-of-band. All that within a short time frame. Seems like a classic example of how to run incident response."
Today's MS12-008 update patches a single critical vulnerability in IE6, IE7 and IE8, plugging a hole acknowledged by Microsoft on Dec. 29 after security firms said the website of the Council on Foreign Relations (CFR), a noted U.S. foreign policy think tank, was hosting attack code targeting IE8.
Since then, researchers have found evidence of attacks as far back as Dec. 7 and monitored other domains that have conducted similar drive-bys.
Shortly after it warned customers of ongoing attacks, Microsoft released an automated "Fixit" tool to block exploits; recommended that customers deploy the Enhanced Mitigation Experience Toolkit (EMET), another anti-exploit utility; or, if possible, upgrade to IE9 or IE10, neither of which contain the vulnerability.
However, Exodus Intelligence, a company composed of several researchers who once worked at HP TippingPoint and its Zero Day Initiative bug-bounty program, claimed that the Fixit's and EMET's protections could be circumvented. And Windows XP customers were unable to upgrade from IE8, since Microsoft has barred them from running IE9 or IE10.