We’re only 16 days into 2013, and yet, we’ve already seen the release of two emergency patches. One, of course, was Oracle’s patch for Java. But on Monday, Microsoft announced that it, too, was releasing an emergency patch, just days after its monthly Patch Tuesday. As Rapid7’s senior manager of security engineering, Ross Barrett, told me in an email:
Microsoft has indicated that theey will patch Internet Explorer to address a vulnerability affecting versions 6, 7, & 8 (CVE 2012-4792). If Microsoft’s security team is correct, this vulnerability is still seeing only limited exploitation in the wild, but there is no reason to hold off only releasing a fix now that the patch is ready. It always seems to be a race between security teams and malware writers, in this case given the attention this vulnerability has received it likely will not be long before exploitation becomes widespread. Getting a fix out under these circumstances is like immunizing ahead of an outbreak that has already started.
It’s unusual, but not unheard of, for Microsoft to release an out-of-band patch, but the release shows that Microsoft is on top of the need to correct vulnerabilities in a timely manner – as opposed to waiting until the next scheduled release, waiting until the pressure is on, or doing it stealthily. In fact, ComputerWorld pointed out that Microsoft “kept calm” in its latest release (the article also said we should expect the next Patch Tuesday to fix a broader number of vulnerabilities for IE).
I think we should also take notice of the versions of IE that had to be patched: 6, 7 and 8. We know that IE6 has been a problem for quite some time now, and if your company hasn’t updated from that version yet, you aren’t doing yourself any favors. Newer versions of IE – of any browser for that matter – tend to be more secure (this isn’t a problem for IE9 or IE10, for instance). If you have downloaded the patch, you may want to look into updating your browser.