Non-scheduled fixes for key vulnerabilities
Microsoft has today announced it will be releasing two out-of-band patches, its first of the year, with one for Internet Explorer deemed a critical fix and the other for Visual Studio rated moderate.
The move is outside of its regular monthly patch cycle and is being made in response to various critical security holes in Internet Explorer that allow remote attackers to execute malicious code.
Experts say Microsoft only releases these emergency patches when hackers are exploiting the flaw in real-world attacks.
In an official security bulletin posted by Microsoft, the company confirmed that “One will be for the Microsoft Visual Studio product line; application developers should be aware of updates available affecting certain types of applications. The second contains defence-in-depth changes to Internet Explorer to address attack vectors related to Visual Studio, as well as fixes for unrelated vulnerabilities that are rated Critical.”
Former programme manager for the Microsoft Security Response Centre Eric Schultze who now manages Shavlik’s product implementation said that the patch management company recommends that businesses install the Internet Explorer patch as soon as possible.
He explained that some years ago, a flaw was introduced in the development tools maintained by Microsoft.
This flaw was in a ‘template’ that helps developers create ActiveX controls. Any control built using this flawed template might be exposed to the security vulnerabilities discussed in today’s bulletins.
To address these flaws, Microsoft has released two types of patches – one for IE and one for Visual Studio.
The Visual Studio patch corrects the flawed template so that any controls built from this template going forward will be safe. The Internet Explorer patch monitors all calls to ActiveX controls and prevents controls from executing that are found to have been developed with the flawed template.