Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Microsoft releases unscheduled patch for IE zero-day, XP users get fix too

Microsoft has patched a critical Internet Explorer flaw being leveraged in zero-day attacks – and those running no-longer-supported Windows XP will also benefit from the unscheduled update.

In a Thursday blog post, Dustin Childs, the group manager of response communications at Microsoft Trustworthy Computing, announced that the out-of-band release was “fully tested and ready for release for all affected versions of the [IE] browser.”

The fix addresses a remote code execution vulnerability (CVE-2014-1776), affecting IE 6 through IE 11, that exists in the way IE accesses an object in memory that has been deleted or improperly allocated, the tech giant said in a weekend advisory.

By using an Adobe Flash exploitation technique, an attacker could execute arbitrary code within victims' browsers.

In addition to dispatching a swift fix for the bug, Microsoft also revealed that Windows XP, software that reached its end of support last month, was not left out of remediation efforts.

“We have made the decision to issue a security update for Windows XP users,” Childs wrote. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Childs also noted that, for the majority of customers, the patch would be downloaded and installed automatically (if they've enabled Automatic Update). For others, instructions on implementing the patch are included in the Thursday security bulletin.

In a prepared emailed statement, Adriene Hall, general manager of Microsoft Trustworthy Computing, said that, after reports first surfaced on the IE vulnerability, the company decided to “fix it, fix it fast, and fix it for all our customers.”  

The patch comes after security firm FireEye revealed on Saturday that an advanced persistent threat (APT) group had taken advantage of the bug under a campaign, dubbed “Operation Clandestine Fox.” While the attacks were originally noted as being aimed at IE 9 through IE 11, FireEye released new findings on Thursday that showed a broader attack campaign.

In a blog post, FireEye said that the operation was now exploiting Windows XP machines running IE 8, and that saboteurs had expanded their sights by targeting organizations in the government and energy sectors.

In a Thursday email to SCMagazine.com, Darien Kindlund, FireEye's director of threat research, said that the firm notified Microsoft of the new attacks Monday and worked with the tech giant to mitigate the issue.

“On Monday, we uncovered and shared with Microsoft a new set of attacks targeting Windows XP and IE version 8 after we had uncovered and shared a separate set of attacks targeting Windows 7 and 8 and IE versions 9-11 last Friday afternoon," Kindlund wrote. "Because real attacks were spreading across further versions of both products, as well as into more victims in Europe and North America, FireEye notified Microsoft immediately and worked with Microsoft over the last few days for an out-of-band patch.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.