Patch Tuesday Preview: Microsoft To Address Critical Internet Explorer Errors
Microsoft will address critical flaws in Internet Explorer, addressing 19 coding errors in the popular browser as part of its June round of critical patch updates.
The software giant said it would issue five bulletins, including one critical bulletin, repairing 23 flaws that impact Windows, Office and Internet Explorer. The updates, part of the Microsoft Patch Tuesday June 2013 release of security bulletins, will include fixes to repair remote code execution vulnerabilities, information disclosure errors, potential denial-of-service conditions, and flaws that allow an elevation of privilege.
[Related: Microsoft Temporarily KOs Dangerous Citadel Botnet ]
The critical-rated bulletin impacts all currently supported versions of Internet Explorer. It is rated important for users of IE running on server-side versions of Windows. The update next week also impacts users of Office 2003 and Office for Mac 2011.
Phishing attacks play a key role in exploiting the Internet Explorer flaws, according to Paul Henry, forensics and security expert at vulnerability management vendor Lumension. Henry said the update for IE blocks a coding error that would require participation from the user for an attacker to properly exploit. "Many of the successful hacks we've seen lately have been through phishing attacks, so remember to take the time to educate your users about security and mitigation," Henry said.
Microsoft is also scheduled to release an update that improves the photography and digital certificate handling in Windows, adding additional functionality to allow admins to more granularly handle certificate trust lists. The repairs should boost the security of Windows systems, Henry said.
Tommy Chin, technical support engineer at Boston-based vulnerability management vendor Core Security, said the privilege escalation issues are of critical concern no matter what security rating Microsoft gives them. "When administrator privileges are obtained, it's game over for your enterprise network security posture," Chin said.
Chin warned that attackers could use previous Microsoft vulnerabilities or leverage the latest errors fixed by Microsoft and increase privileges to move throughout corporate networks.
The June round of updates is scheduled to be released at 1 p.m. EST, on June 11.
In May, Microsoft addressed a dangerous Internet Explorer 8 vulnerability in a round of security updates that fixed 33 flaws across the company's product line. The flaw included 11 additional browser coding errors that attackers could exploit in drive-by attacks, enabling cybercriminals to install malware and take complete control of a victim's PC, Microsoft said.
PUBLISHED JUNE 6, 2013