Category Archives: Internet Explorer

Patch Tuesday for May 2013

The month’s updates include fixes for vulnerabilities in Windows, Internet Explorer, .NET and Office. The main bulletin has all the technical details, and the Microsoft Security Response Center has a more reader-friendly summary, entitled “Microsoft Customer Protections for May 2013”.

The expected patch for recently-discovered vulnerabilities in Internet Explorer 8 is included in this month’s patches as MS13-038. According to Microsoft, you can install this patch whether or not you previously installed the emergency “Fix-It” released by Microsoft.

Internet Explorer 8 vulnerable to new web-based attack

Update 2013May09: Microsoft has issued a ‘Fix-It’ for this problem. This is a temporary, band-aid solution to the problem. It will be superseded by an actual patch at some point. The original bulletin about this issue has been updated to include information about the ‘Fix-It’.

Microsoft recently announced a new attack, targeted at a specific version of Internet Explorer, being exploited in the wild. More details are provided in the associated security advisory from Microsoft.

Only Internet Explorer version 8 is vulnerable to this attack, which begins when someone using IE8 is tricked into visiting a compromised web site. Once infected, the user’s computer can be remotely controlled by the attacker.

Anyone using Internet Explorer 8 is strongly urged to upgrade to IE9, or – if using Windows 7 or 8 – to IE10. If upgrading Internet Explorer is not an option, you can reduce the risk of infection by increasing the level of protection provided by the browser, as follows:

Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones. This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Ars Technica has additional details.

Patch Tuesday for March, 2013

Yes, it’s that time again. Time to update all your Windows computers, or at any rate helplessly watch as auto-update randomly siphons away your computer’s resources at the most inopportune times.

This month’s crop of updates includes a total of seven bulletins, which address vulnerabilities in Internet Explorer, Outlook, Visio, Silverlight, SharePoint, OneNote and Windows driver technologies.

This month’s bulletins:

  • MS13-021 – Critical : Cumulative Security Update for Internet Explorer (2809289)
  • MS13-022 – Critical : Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
  • MS13-023 – Critical : Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
  • MS13-024 – Critical : Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
  • MS13-025 – Important : Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
  • MS13-026 – Important : Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
  • MS13-027 – Important : Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)

If you can’t get enough about these patches, there’s more technical stuff over at the MSRC blog.

Internet Explorer 10 for Windows 7 now available

If you’re interested in using Internet Explorer 10 on Windows 7, head over to this Microsoft Downloads page.

Windows 7 users with autoupdate enabled will be upgraded to IE10 in the coming weeks. Currently, the new version doesn’t appear in Windows Update, but that will also change in the near future.

IE10 is much the same as IE9, but includes Javascript performance improvements, integrated spell-checking/correcting and better adherence to web standards like CSS3.

Patch Tuesday for February 2013

It’s that time again: time to patch your Windows systems. This month there are twelve bulletins, addressing a total of 57 vulnerabilities in Windows, Internet Explorer and other Microsoft software.

The Microsoft Security Response Center’s post has all the technical details.

Here are the individual bulletins:

Flash Player fix for Internet Explorer 10

The Flash vulnerability reported on December 11 has finally been fixed in Internet Explorer 10.

Microsoft chose not to use the regular Flash plugin in Internet Explorer 10, deciding instead to integrate the player into the IE10 code. As a result, any time the Flash player is updated, Microsoft must make corresponding changes to IE10. Hence the delay in producing the patch for IE10. Google now does the same thing with their Chrome browser, but they tend to make the required changes much more quickly.

Fix for Internet Explorer 6/7/8 now available

Microsoft has issued a special “Fix It” patch for the recently-discovered vulnerabilities in older versions of Internet Explorer.

The original security advisory has been updated to include a link to the fix.

Anyone still using Internet Explorer 6, 7 or 8 should install the fix or stop using IE immediately.

Update 2013-Jan-05: According to the Internet Storm Center, the temporary workaround provided by this Fix-It from Microsoft has already been rendered ineffective by means of a bypass.