Microsoft released a security update for its Internet Explorer browser Thursday to fix a the Zero-Day Vulnerability (CVE 2014-1776) for all versions of Windows including XP. This security update is rated Critical for Internet Explorer 6 (IE 6) thru 11 (IE 11) on affected Windows clients, and Moderate for Internet Explorer 6 (IE 6) thru Internet Explorer 11 (IE 11) on affected Windows servers.
There are a few conditions for some of the updates;
- Customers running Internet Explorer 11 on Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1, must first install the 2919355 update released in April, 2014 before installing the 2964358 update. For more information about this prerequisite update, see Microsoft Knowledge Base Article 2919355.
- Customers running Internet Explorer 11 on Windows 7 or Windows Server 2008 R2, must first install the 2929437 update released in April, 2014 before installing the 2964358 update. For more information about this prerequisite update, seeMicrosoft Knowledge Base Article 2929437
- In all cases MS14-021 helps protect customers from the vulnerability discussed in this bulletin. However, customers who have not installed the latest cumulative security update for Internet Explorer may experience compatibility issues after installing the MS14-021 update.
- If you applied the workaround to modify the Access Control List (ACL) on VGX.DLL, then you must undo this workaround before applying this security update. To undo this workaround, from an elevated command prompt, run the following command;
- echo y| cacls “%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll” /g original ACLs
- If you applied the workaround to unregister VGX.DLL, you do not have to undo this workaround before applying the security update. However, the security update will not re-register vgx.dll. You can find the steps to re-register vgx.dll in the Workarounds Section of Microsoft Security Bulletin MS14-021
Despite making today’s patch available for XP users as well, Microsoft also recommends those users upgrade to new versions of Windows, Windows 7 or 8. Security experts, including U.S. CERT, recommended that users avoid using the maligned browser until a patch was made available.
The is the first out-of-band patch from Microsoft since last January when an IE security update was issued for zero-day vulnerabilities being exploited in watering hole attacks against manufacturing and government websites. For most zero-day vulnerabilities in IE and other Microsoft products, the company has been shipping Fix It tools as temporary mitigations, and recommending the use of the Enhanced Mitigation Experience Toolkit, or EMET, which provides mitigations for memory-corruption attacks.
Windows users who have Automatic Update enabled do not need to take any action to install today’s patch, Microsoft said.