Friday saw the release of a critical out-of-band patch for Internet Explorer from Microsoft. The security update (MS12-063) addresses as many as five vulnerabilities, but none more important than the critical zero-day bug (CVE-2012-4969) that was made public by French researchers earlier this week, and one which even prompted Germany’s Federal Office for Information Security (BSI) to issue an advisory requesting German citizens to stay away from IE. The Redmond-based company has also released a security update for Adobe Flash IE 10.
Rated “critical” for IE6, IE7, IE8, and IE9 on Windows and “moderate” for IE6, IE7, IE78, and IE9 on Windows servers, the said security update not only patches the much talked about execCommand Use After Free (CVE-2012-4969) vulnerability, but also the cloneNod Use after Free flaw (CVE-2012-2557), the LayOut Use After Free bug (CVE-2012-2548), the Event Listener Use After Free bug (CVE-2012-2546), and the OnMove Use After Free flaw (CVE-2012-1529).
“Today we released Security Update MS12-063 to address limited attacks against a small number of computers through a vulnerability in Internet Explorer versions 9 and earlier,” the company said in a blog post on the Microsoft Security Response Center (MSRC) blog. “In addition to addressing the issue described in Security Advisory 2757760, MS12-063 also resolves four privately disclosed vulnerabilities that are currently not being exploited.”
With Adobe Flash being built into Internet Explorer 10, the responsibility of keeping the Flash Player updated on Windows 8 is now Microsoft’s. To this end, Microsoft on Friday released Security Advisory 2755801 that addresses a bunch of flaws in Flash in IE10 on Windows 8. The original plan was to patch these vulnerabilities after the release of Windows 8, but the company changed its mind earlier this month, saying “our goal is to make sure the Flash Player in Window 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible.”