Microsoft has delivered on its promise and has issued a security update for Internet Explorer to address the zero-day memory-corruption vulnerability in versions 9 and earlier that is currently being exploited in attacks.
The update also takes care of four privately disclosed vulnerabilities that are currently not being exploited.
In addition to this, Microsoft has also released an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012, in order to close two vulnerabilities that could allow remote code execution.
One of them – CVE-2012-1535 – is currently exploited by the Elderwood gang – a hacker group whose activities have been recently exposed by Symantec researchers.
“We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” commented Yunsun Wee, director of Microsoft Trustworthy Computing.
He also announced that with respect to Adobe Flash Player in Internet Explorer 10, users can expect regular updates on a quarterly basis, and additional unscheduled updates if the threat landscape requires it.
“Internet Explorer zero-days have been very rare in recent months. The last IE zero-day was in December of 2010 and it was patched in the February, 2011 patch Tuesday. The good news is that zero days are becoming far less frequent across all Microsoft products,” Andrew Storms, director of security operations for nCircle, commented for Help Net Security.
“Microsoft’s ability to go from advisory to patch release so quickly demonstrates their commitment to providing customers with a secure computing environment. Earlier this year, Microsoft stated that they had enough resources to deliver an IE patch every month if necessary. Those additional resources certainly helped them deliver this patch in record time.”
Users who have not enabled automatic updating are advised to manually check for updates and download and install both of today’s updates as soon as possible.