Microsoft chose not to use the regular Flash plugin in Internet Explorer 10, deciding instead to integrate the player into the IE10 code. As a result, any time the Flash player is updated, Microsoft must make corresponding changes to IE10. Hence the delay in producing the patch for IE10. Google now does the same thing with their Chrome browser, but they tend to make the required changes much more quickly.
Microsoft has issued a special “Fix It” patch for the recently-discovered vulnerabilities in older versions of Internet Explorer.
The original security advisory has been updated to include a link to the fix.
Anyone still using Internet Explorer 6, 7 or 8 should install the fix or stop using IE immediately.
Update 2013-Jan-05: According to the Internet Storm Center, the temporary workaround provided by this Fix-It from Microsoft has already been rendered ineffective by means of a bypass.
A new exploit, targeted at users of older versions of Internet Explorer, recently surfaced. IE 9 and 10 are not vulnerable to this exploit.
Microsoft is working on a patch, but until it’s available, anyone using Internet Explorer 6, 7 or 8 should exercise extreme caution when browsing the web, or – better yet – switch to a different browser such as Firefox, Opera or Chrome.
Unfortunately for anyone still using Windows XP, including a large number of corporate users, recent versions of IE (9 and 10) don’t run on that version of Windows. XP users are strongly encouraged to stop using Internet Explorer.
This month there are seven bulletins, addressing twelve issues in Windows, Internet Explorer (including IE 10) and Office. The Microsoft Security Response Center has a useful summary. For the gory details, see the official security bulletin for the December updates over at Technet.
Here are the bulletins:
At one point it looked like Microsoft might not produce a version of Internet Explorer 10 that would run on any version of Windows earlier than Windows 8. Thankfully, for those of you still using Microsoft’s web browser, a Windows 7 compatible version of IE10 is now available. Please note that this version is categorized as a ‘Release Preview’, so it is probably somewhat buggy.
Another month, another Patch Tuesday. As discussed in the advance warning post, this month’s crop consists of six patches with nineteen fixes for Windows (including Windows 8), Office, Internet Explorer and .NET:
- MS12-071: Internet Explorer [Critical]
- MS12-072: Windows [Critical]
- MS12-073: Internet Information Server
- MS12-074: .NET Framework [Critical]
- MS12-075: Windows [Critical]
- MS12-076: Office
Windows users are encouraged to install the critical updates as soon as possible via Microsoft Update.
More details at the Microsoft Security Response Center.
It’s Patch Tuesday and Microsoft has released seven security bulletins, affecting Windows, Word, Internet Explorer and other Microsoft software. A total of 20 vulnerabilities are addressed by the updates. We covered the details in a previous post. As always, we encourage everyone running affected software to apply the updates as soon as possible.
The change will occur shortly after the release of Internet Explorer 10, on November 15, 2012.
Internet Explorer 8 is the most recent version of the web browser that runs on Windows XP, so anyone who uses Internet Explorer on Windows XP to access Google Apps will need to switch to a different web browser, or upgrade to Windows 7 or 8 after November 15.
Update 2012Sep22: As promised by Microsoft, patches for Internet Explorer versions 9 and earlier were made available yesterday. The patches are available through regular update channels, including Windows Update and Microsoft Update. Security Bulletin MS12-063 has all the details, including links for downloading the updates separately.
Update 2012Sep21: A fix for this issue, promised earlier this week by Microsoft, was announced yesterday. Anyone using Internet Explorer for web browsing is strongly encouraged to install the fix immediately. A proper (i.e. fully tested) patch will be available from Microsoft later today.
Update 2012Sep18: Microsoft has issued a security bulletin that goes into some detail about this issue and suggests workarounds. Apparently you can install the ‘Enhanced Mitigation Experience Toolkit’, or configure Internet Explorer to either prompt before running ActiveX scripts or prevent them from running altogether.
A newly-discovered vulnerability in most versions of Internet Explorer is being exploited in current, ongoing attacks.
Anyone using IE 6, 7, 8 or 9 on Windows XP, Vista or 7 is potentially at risk. To become infected, a user need only visit a web site that contains the exploit code. Typically, trojan malware is then installed silently on the user’s computer. The computer is then open to further attacks as well as remote control by the perpetrators.
Internet Explorer 10 is not affected.
The exploit code may be placed on a web site without the knowledge of the site owner, if the site is not secure.
This vulnerability and the associated attacks are serious enough to warrant extreme caution when using Internet Explorer. Some experts are recommending discontinuing the use of Internet Explorer until a fix becomes available.
Microsoft has issued a bulletin that provides additional details.