Microsoft urges business to update IE security

Microsoft has released an out-of-cycle patch for the latest zero-day vulnerability in Internet Explorer that affects versions IE6 to IE9

Microsoft has released an emergency out-of-cycle patch for the latest zero-day vulnerability in Internet Explorer that affects versions IE6 to IE9.

The security update also addresses four other unrelated vulnerabilities, which were reported privately to Microsoft, the software maker said.

According to the latest Microsoft security advisory, the most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer.

“An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights,” the advisory said.

The zero-day flaw, which does not affect Internet Explorer 10, was identified by researcher Eric Romang, according to a blog post by security research firm Rapid7, which has incorporated the exploit into its Metasploit testing tool.

Microsoft said most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually.

For administrators and enterprise installations, or end-users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

Wolfgang Kandek, chief technology officer of security firm Qualys, said he recommends organisations install the update even if they are not running one of the configurations that are currently being exploited, such as Internet Explorer plus Flash or Java v1.6.

“Attackers are surely working on way to exploit the vulnerability directly, without the help of plug-ins,” he wrote in a blog post.

Ahead of the security update, Microsoft made available a "fix-it" that uses its application compatibility shim mechanism to fix the code segment affected on all versions of the browser, and published mitigations and workarounds that businesses could use until a patch was available.

Read more on Hackers and cybercrime prevention