Microsoft Patch Tuesday To Include Critical Internet Explorer Fix


Microsoft said it would issue critical bulletins impacting Microsoft Windows and Internet Explorer next week as part of its May Patch Tuesday round of updates.

In its Advance Notification issued Thursday, the software maker said it plans to issue 10 bulletins, addressing 34 vulnerabilities across its entire product line. The update will also address coding errors in Microsoft Office, Microsoft Lync and Windows Essentials.

The updates will address two critical remote code execution vulnerabilities impacting all versions of Internet Explorer. Microsoft issued a temporary fix on Wednesday, addressing attacks that are actively exploiting a zero-day vulnerability in Internet Explorer 8 and indicated that it was still testing a full patch for the flaw.

[Related: Name Of The Game: Top 10 States For Identity Theft]

"Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140, supplementing the currently available Fix it," wrote Dustin Childs, group manager at Microsoft Trustworthy Computing, on the company's security blog.

Security researchers have been tracking the ongoing attacks, which were detected in late April stemming from attack code embedded on the Department of Labor website. The watering hole-style attack was set up on one of the site's Web pages that Department of Energy employees visit.

Internet Explorer 8 is used by approximately 43 percent of Microsoft browser users, according to vulnerability management vendor Qualys. The security bulletin will also address errors used by hackers in the recent Pwn2Own contest held at the CanSecWest conference in March, said Wolfgang Kandek, chief technology officer of Qualys, in a statement. Researchers at security firm VUPEN exploited an error in Internet Explorer 10 to bypass browser security restrictions and gain access to the Windows 8 system, earning it $100,000 in the contest.

The eight bulletins rated important address flaws in Microsoft Windows, Microsoft Office, Server and Tools, and the .NET Framework. The issues range from denial-of-service errors that can cause a Windows system to crash to remote code execution vulnerabilities in specific Microsoft Office software, according to the Advance Notification. A parsing issue with Microsoft Word that affects Microsoft Word viewer will also be addressed.

Microsoft issued nine bulletins, two critical in its April round of security updates. The patches fixed dangerous flaws in Internet Explorer and Windows Remote Desktop Client.

PUBLISHED MAY 9, 2013