Home > Computing > Microsoft’s January security update neglects…

Microsoft’s January security update neglects patch for IE zero-day vulnerability

Following normal routine, Microsoft gave advance notice on Thursday of the seven security updates being released this coming Patch Tuesday, including one rated critical for protecting Windows 8 and Windows RT. All in all, the bundle will address 12 different vulnerabilities. Yet conspicuously missing – as security experts were quick to point out – was a fix for an Internet Explorer zero-day exploit that has recently been plaguing users of IE6, IE7, and IE8.

Although the IE vulnerability alarmed Microsoft enough to issue a security advisory about it last Saturday, the company has since downplayed its seriousness, claiming it affected only a limited number of customers. However, it compromised several websites, including those of Capstone Turbine, a gas turbine manufacturer, and the Council on Foreign Relations, a foreign-policy think tank. When hacked, these websites became unsafe for visitors using IE6, IE7, and IE8, installing unwanted malware on users’ computers and attempting to steal personal data.

Fortunately, there remains a number of solutions for the IE zero-day vulnerability. Newer versions of Internet Explorer do not share this security weakness, so Microsoft is encouraging users to upgrade to IE9 or IE10 if possible. Unfortunately, those running Windows XP or earlier Windows operating systems are unable to upgrade to IE9 and IE10.

For these customers, Microsoft has provided a single-click “Fix it” workaround that will take care of the security vulnerability. Finally, if users see a major increase in the number of attacks exploiting this vulnerability, Microsoft may release a special “out-of-band,” or off-schedule, security update prior to its next Patch Tuesday, which isn’t set to take place until February 12. Of course, you can always try out the latest version of Chrome in the meantime.