Microsoft released an emergency update last night to address a security vulnerability in Internet Explorer that was discovered five days ago. All versions of IE from version 6 are affected. The fact that product security is a primary goal for Microsoft is also evidenced by the fact that this update is also available for Windows XP – a decade-old operating system that recently ended its extended support. The vulnerability did not affect the browser in the combination of x64 and Enhanced Protected Mode.
Another way to prevent such attacks is to install the Enhanced Mitigations Experience Toolkit (EMET). It will include Internet Explorer in the security mechanisms of the operating system, of which IE is not included to maintain backward compatibility. Some programs that use the IE core would simply stop working. By default, this tool was able to block an exploit exploiting the discovered vulnerability. The latest version of this tool is EMET 5 Tech Preview Release 2.
The vulnerability concerns the vgx.dll library, which is linked by mshtml.dll. The repair itself consisted of repairing the memory management.
The update is a one-time update and requires the April cumulative update. You may have noticed that the May cumulative update will not be able to be installed without an update called Spring Update, or Windwos 8.1 Update 1, Windows 8.1 KB2919355. However, the security patch does not require this update and will also apply to any further fixes in the future until the end of August. That’s why there are actually two security updates – KB2964358 and KB2964444.
You might also be interested in why it takes about a week to fix it, even though the recommendation on how not to be jeopardized by the bug is issued almost immediately. First, it is determined which versions of Internet Explorer are at risk and in which configurations. It then tries to exploit the vulnerability and perform an attack to test whether the patch is effective in all compromised configurations and whether it has caused incompatibilities in the system itself or in third-party applications. Microsoft has a specialized laboratory for this.
The question also arises as to why Microsoft decided to fix Windows XP in this case, when it is not exactly fair to everyone who uses Windows 7 or Windows 8.1. This decision was significantly influenced by an inaccurate bulletin of the United States Department of Homeland Security, which did not distinguish between browser and operating system versions and considered the vulnerability of all versions of Internet Explorer to be permanent. Objectively, however, users are exposed to a higher risk in the long run by using a different browser.
For more information, see the MS14-021 safety bulletin.