Microsoft is breaking with its self-imposed monthly patch cycle to address a serious security vulnerability in its Internet Explorer web browser.
Rather than waiting for the regular 'Patch Tuesday' - the second Tuesday of each month, when the planned updates and fixes are rolled out to customers - Microsoft has decided to issue an out-of-cycle patch, only done in critical scenarios, to address a remote code execution zero-day vulnerability in Internet Explorer which is being actively exploited by ne'er-do-wells.
The precise flaw that is being fixed is not being made public, in an effort to stem the flow of attacks against the vulnerability, but is thought to be related to a security advisory
affecting Internet Explorer 6, 7 and 8 - but not Internet Explorer 9 or 10. While a work-around for that flaw, which allowed attackers to exploit the MSHTML shim in order to run arbitrary code in the context of the browser user, was released by Microsoft in the form of a 'Fix It' patch
, this merely disabled the affected component rather than actually fixing the flaw.
For those running a later release of Internet Explorer, or any other browser, now isn't the time to get complacent, however: coinciding with the out-of-cycle patch for older Internet Explorer releases, Oracle has announced an update for its Java package that fixes a similarly serious security vulnerability. Java 7 Update 11 has been released to address a series of zero-day attacks against the popular package, which is often triggered via a plug-in in a web browser to run web applications.
The Java flaw is significantly more wide-spread than the Internet Explorer vulnerability, affecting any machine with Oracle's Java client installed - an estimated 850 million desktops and laptops around the world. The flaw was serious enough for browser makers, including Firefox creator Mozilla, to temporarily block
Java from loading in order to provide some level of protection against attack.
For those who need Java, the update to Java 7 Update 11
is a recommended install - and if you're an Internet Explorer 6, 7 or 8 user, should be snagged alongside Microsoft's out-of-cycle patch, which can be installed through Windows Update as normal. Alternatively, consider upgrading to a newer release of Internet Explorer: both Internet Explorer 9, available for older versions of Windows, and the Windows 8-exclusive Internet Explorer 10 are not vulnerable to the flaw but still require the Java update.