Microsoft today released an emergency patch for IE (Internet Explorer) to stymie active attacks that have been exploiting a bug in the browser, finishing a job it started only Monday.
"Let's call it five days from advisory to patch," said Andrew Storms, director of security operations at nCircle Security. "I'd like to see anybody pull that off."
[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]
The so-called "zero-day" vulnerability -- meaning it was leveraged by attackers before Microsoft was aware of the bug, much less able to patch it -- surfaced six days ago. Since then, Microsoft has published an advisory (on Monday), confirmed the vulnerability and issued a "Fixit," one of its automated configuration tools, to block the known exploits (Wednesday).
The Fixit relied on a tactic Microsoft first deployed in January 2011, when it used a "shim," or application compatibility workaround, to thwart then-circulating attacks against IE.
Then, as in the recent Fixit, Microsoft utilized the Application Compatibility Toolkit, included with Windows since XP, to modify the core library of IE -- a DLL, or Dynamic-Link library, named "Mshtml.dll," that contains the rendering engine -- in memory each time the browser ran.
Users who have already enabled the shim do not have to uninstall it -- or disable the Fixit -- when they patch today, Microsoft said.
Today's update was rated "critical" by Microsoft, the company's highest threat ranking.
Of the four non-zero-day vulnerabilities, three were limited to IE9, the edition that debuted in March 2011. The fourth impacted only IE7 and IE8. All five vulnerabilities patched by MS12-063 today, including the zero-day, were tagged as critical.
Security experts said that Microsoft had this update -- sans the patch for the zero-day -- already ready, and failing the hustle to fix the exploited vulnerability, it would have been amongst those delivered next Patch Tuesday, Oct. 9.
"What we're seeing is next month's patch," said Storms. "Given that the four others were all responsibly disclosed, they don't present that much of a threat." Storms also called the other patched bugs "par for the course" for IE.
MS12-063 applies to all supported editions of Windows -- XP, Vista and Windows 7 -- and affects IE6, IE7, IE8, and IE9. Only IE10, the browser bundled with Windows 8, is immune.
Friday's "out-of-band" -- security-speak for an emergency update outside the usual monthly Patch Tuesday schedule -- will be the first that Microsoft has released this year and only the second since September 2010. It was also the first emergency patch of an IE zero-day vulnerability since January 2010, when Microsoft fixed a flaw exploited by the "Aurora" Trojan horse.