With an emergency update on Friday evening, Microsoft has closed the critical vulnerability in Internet Explorer that is already being actively exploited for attacks. The hole affects IE versions 6 to 9 and allows attackers to infect systems with malicious code when a specially crafted web page is visited. The vulnerability was disclosed last Monday, and a Metasploit module for it became available on Tuesday.
Microsoft also took this opportunity to close four similar holes that, the company said, were reported in confidence by security specalists and haven’t been exploited for attacks. Looking at their CVE numbers, these four vulnerabilities were reported well before the other hole was revealed on Monday. The vulnerabilities are based on “use-after-free” bugs that involve access to newly de-allocated memory areas. This causes IE to execute shell code that an attacker has injected into memory.
Microsoft says that the patch is being deployed via Windows Update; therefore, those who have the Windows Update feature enabled on their computers need to take no further action. Everyone else can manually download a suitable patch for their version of Windows.
The company has also made changes that benefit the early adopters of Windows 8 by updating the Flash Player that is integrated into IE 10 to the latest version. The update fixesa bug that enabled files to inject software via specially crafted fonts. With the new version of Internet Explorer, Microsoft has made the Flash plug-in a permanent browser component. This should, in theory, cause updates to reach users faster and more reliably because the browser will download and install them automatically.