Microsoft has issued an out of band security update to patch the zero day vulnerability that affects all versions of Internet Explorer and is being actively exploited in the wild in targeted attacks seemingly directed against US-based defense and financial firms.
“While we’ve seen only a limited number of targeted attacks, customers are advised to install this update promptly. The majority of our customers have automatic updates enabled and so will not need to take any action as protections will be downloaded and installed automatically. If you’re unsure if you have automatic updates, or you haven’t enabled Automatic Update, now is the time,” says Dustin Childs, Group Manager at Microsoft’s Trustworthy Computing.
This security update addresses every version of Internet Explorer.
The company is today also pushing out an update for all versions of Windows XP.
“We made this exception based on the proximity to the end of support for Windows XP,” shares Adrienne Hall, General Manager, Microsoft Trustworthy Computing, and notes that “just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer.”
SANS ISC CTO Johannes Ullrich also urges users to patch immediately.
“Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server,” he notes.