Microsoft Releases Out-of-Band Patch For IE Vulnerability

Released as a MSI package, the patch is described as a workaround that leverages the Windows application compatibility toolkit to make a small change to MSHTML.DLL in memory every time the DLL is loaded by Internet Explorer. Microsoft previously recommended IE users to take this step manually, while the patch automates the task. Microsoft provides an installation guide for the workaround as well as information to uninstall the patch again.

Microsoft stressed that the workaround is only effective if all recent security updates for IE have been installed as well.

The company confirmed existing attacks that exploit the vulnerability. However, Microsoft said that "only 32-bit versions of Internet Explorer" are targeted and attacks "rely on third-party browser plugins to either perform efficient heap-spray in memory and/or to bypass the built-in mitigations of Windows Vista and 7 such as DEP and ASLR." However, users can further reduce the risk of a successful attack by updating their Java version from Java 6 to 7.

_{Contact Us for News Tips, Corrections and Feedback}

Latest

TSMC to charge premium for making chips outside of Taiwan, including its new US fabs, CEO says

See more latest ►

15 Comments Comment from the forums

michalmierzwa

And yet another reason why you should move away from IE and use Chrome/Firefox
Reply
steve360

IE should be renamed to Swiss Cheese. It has that many holes.
Reply
salgado18

Too bad people still use old IE's, too bad Microsoft did such a bad browser; but that's nice of Microsoft, launching a critical update to defunct software, unlike most companies that just don't care.
Reply
john_4

steve360IE should be renamed to Swiss Cheese. It has that many holes.MS had to make it like their NSA co-authored OS, aka Swiss Cheese. But all those built in back doors for the FEDS come at price. Want security use Linux
Reply
igot1forya

That is why I always refer to IE as Internet Exploiter :)
Reply
bourgeoisdude

Actually this was the first serious IE flaw in a long time. We have not had any virus's exploiting an IE flaw here at work since 2007. Flash player since 2010, Java seemingly every month (if only those website admins would stop using Java for their content...)
Reply
Vorador2

Well, they were faster than i expected.

bourgeoisdudeActually this was the first serious IE flaw in a long time. We have not had any virus's exploiting an IE flaw here at work since 2007. Flash player since 2010, Java seemingly every month (if only those website admins would stop using Java for their content...)
On the positive side, Javascript <> Java. The javascript engine from Firefox and Chrome is far more secure than Oracle's JRE. Worst thing, almost everytime Oracle patches a bug, it introduces a vulnerability, and viceversa. There was a small bug in windows JRE6 than if you were running a java application and then shutdown windows, the application hanged and you had to force close it. They never fixed it, simply saying tham to solve it, upgrade to JRE7. Piece of *** software.
Reply
freggo

I'm not a fan of M$ or IE by any stretch of the imagination but exploits happen to every browser with a decent market share.
Micro$oft was made aware of a problem and came up with a patch. What else should they have done ?
It's not as if Firefox, Opera or Chrome are perfect; as a web developer I -have to- use all 4.

What buggers me far more that I can have a relatively simple page layout with a few tables and basic CSS and it still looks different on all 4 browsers. Try to explain that to a client !

Reply
blazorthon

To think that so many people said that MS wouldn't update any IE versions that aren't used on Windows 8 with this patch as incentive to upgrade. I guess that MS deserves some credit, after all.
Reply
rantoc

At least one company moves fast to secure the systems rather than pull excuses out of their ass while their customers suffer from it.
Reply

Show more comments

Stay on the Cutting Edge

Most Popular