Microsoft Security Update MS12-063:
Microsoft’s approach to user responsibility sees the company periodically releasing security updates to address newly identified vulnerability issues affecting users of the Internet Explorer (IE) web browser. The most recent of these is September’s Security Update MS12-063, which has been designed to permanently address a zero-day IE vulnerability.
The vulnerability was initially patched with what the company calls a ‘Fix It’, but Microsoft says that users who have installed the Fix it will not need to uninstall it in order to apply the full security bulletin as it now exists.
Director of Microsoft Trustworthy Computing Yunsun Wee has confirmed that the latest security update comes in response to an issue reported by and impacting only a “small number of customers” in total. While the attacks have been limited, Wee advocates that for increased protection, customers should apply the update as soon as possible if they do not have automatic updates enabled.
Microsoft’s official details on this release state the following, “This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Older Internet Explorer, greater risk
Interestingly, Microsoft still offers a broad level of support for versions of its browser dating back to Internet Explorer 6 and indicates that some of the older versions are still vulnerable to exploit. Security Update MS12-063 is rated as “critical” for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 when used on Windows clients. By “clients” in this case, the company simply means desktop computers.
Moving forward, Microsoft states that Security Update MS12-063 is rated as “critical” for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows servers.
Internet Explorer 10 is not affected and the firm does not offer information on whether Apple Mac computers running a version of Internet Explorer are affected.
The security update (once installed) is said to address the identified vulnerabilities by modifying the way that Internet Explorer handles objects in its memory.
Many users will have “automatic updating” enabled on their Windows machines (and will not therefore need to take any action) to ensure that the security update will be downloaded and installed automatically. Users who have not enabled automatic updating in Windows will need to check for updates and install this update manually.