Broadband Tech → Security → Security > BTW, "Microsoft rushes out security patch for IE"

BTW, "Microsoft rushes out security patch for IE"

Normally, Microsoft releases security bulletins for software products on the second Tuesday of each month. That happened last week as scheduled, but today the company announced it has rushed out an additional patch designed to fix an exploit that has been found in Internet Explorer, and is being used in attacks on IE8 and IE9.

In a post on its security response blog, Microsoft says the issue would allow a hacker to launch a remote code execution if a person surfs to a website using IE that contains malicious code. The blog adds, "There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. "

The company has released a "Fix-it" patch, "CVE-2013-3893 MSHTML Shim Workaround" to plug this security hole in all currently supported versions of IE. In addition, Microsoft recommends that users set their security settings on the web browser to "High" to block any ActiveX Controls and Active Scripting on websites. It also recommends users set up IE so that it informs them ahead of time before running any Active Scripting features. The company plans to release a full security patch that will be a more complete solution to this problem in the near future.

Source: Microsoft | Image via Microsoft

Re: BTW, "Microsoft rushes out security patch for IE"

here is a related thread:

»Microsoft Security Advisory Notification - Sept 17, 2013

That sounds like a quote from a third party (not Microsoft) but you don't provide the source.

You also provide no link to the MSRC blog.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Indeed ..... U R right, try to include fair use third party LINK but mod rules change ¿ ¿ Would like to provide MS direct LINK too

Yes, the rules have changed. But I believe that if you had not just quoted a part of an article from another site, but had used a SMALLER quote AND added some comment of YOUR OWN to your post abut this whole issue, what your opinion is, whether not you have installed the hot fix (I have hesitated to install it), whether or not you use EMET to mitigate, etc. THEN my understanding is that a link to both the third party article and Microsoft security response blog would be acceptable.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

THX 4 your pointer, SORRY my first day join DSL forum & indeed EMET protected my IE 10, just my wife IE 9 need to be safe first !!! Here we go : MS direct LINK
»blogs.technet.com/b/msrc/archive···ted=true

THX 4 your pointer, SORRY my first day join DSL forum & indeed EMET protected my IE 10, just my wife IE 9 need to be safe first !!!

NM

Hi ..... Randy, nice to C U aeound

Sidebar uses mshtml.dll also....
I thought I'd be safe because IE8 is "uninstalled".
Apparently not.



Edit:

The exploit was attacking a Use After Free vulnerability in IE’s HTML rendering engine (mshtml.dll) and was implemented entirely in Javascript (no dependencies on Java, Flash etc), but did depend on a Microsoft Office DLL "hxds.dll"

Guess I'm ok...no office here.

Likewise, I know you from [...]

>> ....

Re: BTW, "Microsoft rushes out security patch for IE"

No OOTB update yet?

Re: BTW, "Microsoft rushes out security patch for IE"

That would be on Tues 9/24. Patch Tues = 2nd Tues of month. Emergency patch Tues = 4th Tues of month

»en.wikipedia.org/wiki/Patch_Tuesday

quote:

---

Sometimes there is an extraordinary Patch Tuesday, 14 days after the regular Patch Tuesday.

---

Re: BTW, "Microsoft rushes out security patch for IE"

No sign from MS, nor on MS-forum too

Re: BTW, "Microsoft rushes out security patch for IE"

quote:

---

Microsoft is scheduled to distribute its monthly patch release Oct. 8. Because the software maker has released a temporary fix for the flaw affecting all versions of IE, experts do not expect a permanent fix until the upcoming release.

---

Thank you Randy for letting us know when an update will be available to fix this.

Sincerely, Libra

MS better get a patch out soon. The exploit is now in the wild:
»arstechnica.com/security/2013/10···he-wild/

A fair bit of FUD out ATM, me thinks: see »news.cnet.com/8301-1009_3-576056···attacks/ Those with the Fix It in place should be fine until Tuesday.

Isn't the fixit only for x86 (x32) and cannot be applied to x64?

Not sure if that is a programming issue or the exploit won't work with x64's extra protection?
Which has me wondering??
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Tabs run as 32bit even when using IE 64bit browser. So, even though the FixIt is applied only to 32bit IE seems to me it would prevent the exploitation on IE 64bit also. I haven't applied it though.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

I'm still on IE9. Since it ain't broke, I ain't fixing it. Anyway, your task manager looks different from mine. I don't see icons in the process list.

I still think the situation is ambiguous. I recommend that if the user wants to use IE, use the 32 bit one.
»support.microsoft.com/kb/2887505

quote:

---

The Fix it solution that is described in this section applies only 32-bit versions of Internet Explorer.

---

I have to apologize. I started this confusion as I failed to state I was talking about IE 10 on Windows 8. Plus, I didn't realize at first that you are on Windows 7.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

quote:

---

UAC must be enabled to be able to have 64-bit IE10. Otherwise, it will be 32-bit IE10 even if set to 64-bit in this step.

---

quote:

---

In 64-bit Windows 7, Internet Explorer 10 (IE10) has 32-bit and 64-bit together in one browser now.

---

Aha! Yes, I tried to get along with UAC but it was driving me nuts particularly with regards to HostsMan. It might not be a problem almost a year later and several newer versions of HostsMan later. I finally disabled UAC entirely in the registry. I did not know that it needed to be enabled in order for IE10 64 bit with Enhanced Protected Mode to actually force the tabs to run as 64bit. I am glad to have that mystery solved.

I can enable UAC (will have to anyway if I want to download 8.1 as the Metro apps don't work if UAC is disabled but I don't use them so that didn't matter to me but would if I need to access the Microsoft Store to get 8.1).

It's ironic that it was a tutorial at eightforums that explained how to disable UAC and I read it (and other tutorials on Windows 8 there) but I never saw the one about IE10 64 bit Enhanced Protected Mode on Win 8. If I leave UAC disabled, then I guess my question is answered. The housing may be IE 64bit but tabs are 32bit so I would need to install the Fixit. But then I read this:

"Note:
The Fix it patch only applies to 32-bit versions of IE. For those using 64-bit IE, they would have to wait until Microsoft releases an appropriate software update. In the meantime, they are advised to use browsers other than IE."

»blogs.quickheal.com/wp/critical-···crosoft/

ARRRH! I think I will just pull all my hair out. Or just not use IE until Microsoft issues a a security patch. It's not my default browser so I can just avoid it for another week as even if I enable UAC so that Enhanced Protected Mode works and the tabs start running in 64bit, I still don't know if that protects against this exploit.

--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson