Patch Tuesday: Microsoft Fixes Critical IE8 Flaw Used In Targeted Attacks


Microsoft has addressed a serious Internet Explorer 8 vulnerability that has been seen in a spate of targeted attacks against Department of Energy employees and other individuals.

The vulnerability is one of 33 repaired by the software giant during its May 2013 Patch Tuesday round of security updates released Tuesday. Microsoft released 10 security bulletins, of which two were rated critical. The patches repair vulnerabilities in Microsoft's Windows and Office, as well as its .NET Framework and Windows Essentials software.

Critical bulletin MS13-038 addresses the serious browser vulnerability. Internet Explorer 8 users should update their browsers immediately or use a later version of Internet Explorer, Microsoft said. The attack targeting the browser flaw was detected on a Web page maintained by the Department of Labor in late April. The Web page contained a database frequently used by Department of Energy employees, leading security experts to call out the serious nature of the threat. Microsoft issued a temporary Internet Explorer 8 workaround last week, while its engineers tested the security update that was issued today.

[Related: Top 10 Malware Threats To Microsoft PCs]

Ross Barrett, senior manager of security engineering at Boston-based vulnerability management vendor Rapid7, said the Internet Explorer 8 coding error highlights the need for Microsoft to overhaul how it updates the browser. Microsoft could align itself with Google or Mozilla, which roll out periodic updates to their browser users in a more automated fashion

"Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model," Barrett said in a statement.

A second critical bulletin addresses 11 browser vulnerabilities impacting Internet Explorer 6 and above as well as browser issues on Windows 8 and RT-based tablet devices. The flaws can be used in drive-by attacks, enabling cybercriminals to install malware and take complete control of a victim's PC, Microsoft said.

Microsoft's bulletin counts are 25 percent higher in the last couple of years due partly to monthly updates for Internet Explorer, noted Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys, in a blog post. Kandek said the update also addresses two vulnerabilities used by security researchers at VUPEN during the Pwn2Own hacking contest at the CanSecWest security conference in March. The flaws are serious and very likely to be used by financially motivated cybercriminals, Kandek said.

"Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website," Kandek said. "Patch this vulnerability as soon as possible."

In addition, this month Microsoft also addressed a vulnerability that enables attackers to cause Windows 8 and RT systems as well as Windows Server 2012 to crash. Microsoft said in its bulletin that an attacker could send malicious packets causing the devices to fall into a loop-condition. The issue was rated important.

A spoofing vulnerability in .Net applications was also repaired. Microsoft said the issue requires the attacker to have physical control of the Windows PC. "Attackers who successfully exploit the vulnerabilities could modify the contents of an XML file without invalidating the file's signature and could gain access to endpoint functions as if they were an authenticated user," Microsoft said.

In addition, vulnerabilities rated important were addressed in Windows Essentials, the Microsoft Lync instant messaging client, and Microsoft Office 2003, 2007 and 2010.

PUBLISHED MAY 14, 2013