As expected, Microsoft quickly released an out-of-cycle patch for Internet Explorer. It’s the only critical update on the monthly second edition of Patch Watch.
Microsoft also clarified its policy on the version of Flash embedded in IE 10.
One zero-day down, undoubtedly more to come
In the Sept. 20 special edition of Patch Watch (a Top Story), I reported on a new and serious vulnerability in IE Versions 6–9. I also told you to keep an eye out for a patch outside the regular Patch Tuesday (the second Tuesday of each month) schedule. Sure enough, Microsoft released KB 2744842 on Friday, Sept. 21. You should have installed it by now.
If you haven’t done so already, check out this issue’s Top Story on using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) to further protect Internet Explorer from zero-day attacks. We might have dodged this most recent threat, but it’s a safe bet that hackers have other exploits they’re not telling us about.
I use NoScript in Firefox and Sandboxie (and Chrome as needed) to safely download and open most files. But I still need to use Internet Explorer for specific websites, and Windows depends on IE for tasks such as Windows Updates. Thus keeping IE patched is key to a healthy system.
What to do: Unless noted in this column, IE should always be patched quickly. If you have not installed KB 2744842 (MS12-063), do so soon.
IE 10 to get Flash updates as needed
The current wisdom is to use Adobe Flash as little as possible. Many YouTube videos no longer require Flash, and many sites are Flash-free. (Famously, Apple’s iOS doesn’t support Flash, and I’ve found a way to make most Flash-based websites work on my iPad.) However, there are cases where Flash is still needed.