Microsoft will be releasing an out-of-band patch (on Monday 14 January 2013 in the USA) for the recently-disclosed zero-day hole in Internet Explorer.
→ The adjective out-of-band in this context is a bit of a metaphorical stretch, but it’s what the industry has settled on. It doesn’t mean that the patch will arrive via a different frequency channel, as it might in telecommunications. You can still get the patch using Windows Update. It’s just outside the usual schedule of patches issued every month on Patch Tuesday.
Actually, we can’t be 100% certain that last December’s vulnerability, documented by Microsoft in Security Advisory 2794220, is the one that will be fixed.
All we know from the 1750 words in Microsoft’s early announcement boilerplate is that Redmond will be fixing “a security vulnerability in Internet Explorer” that is denoted Critical:
Critical: a vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Nevertheless, I’ll assume that tomorrow’s fix will deal with Security Advisory 2794220. And on that basis, I urge you to follow Microsoft’s own advice:
Microsoft recommends that customers apply Critical updates immediately.
Update: Microsoft emailed us to confirm that the patch is indeed for the vulnerability documented in Security Advisory 2794220.
When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble.
Microsoft already published a temporary FixIt tool to protect against this vulnerability. It also recommended its epically-named Enhanced Mitigation Experience Toolkit (EMET) for an layer of mitigation for this and other vulnerabilities, known and unknown.
→ EMET is somewhere between a process-hardening tool and a sandbox, forcing security protections onto programs that don’t have them by default, and adding an additional layer of protection to software that includes code in which a security holes have been found.
However, there are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft’s abovementioned FixIt.
Update: Microsoft emailed us to confirm that the patch addresses all known exploits against vulnerability 2794220, including the variants that claim to work around the FixIt.
Sadly, too, Metasploit, the vulnerabilities-anyone-can-exploit-for-free product, already has what it calls a browser auto pwn plug-in you can download to exploit this vulnerability yourself.
In short, tomorrow’s patch is one to push out and then deal with any fallout, rather than the other way around.
By all means, test, digest and deploy. But make this one of those patches you deal with in hours, or in the worst case, days. Not in weeks, and very definitely not in months.
Note also that the 2794220 vulnerability affects neither IE 9 nor IE 10. If you’re already using one of those versions, you’re sitting pretty.
Both IE 9 and IE 10 include designed-in improvements intended to boost security, so if you’re clinging to older versions for legacy reasons, please give earnest consideration to striking camp and setting up afresh.
For a discussion of priorities when patching, why not listen to this Technow podcast, in which Chet and Duck discuss whether you should you lead, follow, or get out of the way when patches roll around:
(19 July 2012, duration 15’25”, size 11MBytes)
Sophos Anti-Virus on all platforms blocks malicious files relating to this vulnerability as follows:
• Exp/20124792-B: Various files associated with the exploit
• Sus/Yoldep-A: Seen in related (“Elderwood Project“) attacks
• Troj/SWFExp-BF: Flash component used to trigger exploit