May 10, 2013
May 'Patch Tuesday' Addresses 34 Vulnerabilities, Critical IE8 Flaw
By Rory Lidstone
TMCnet Contributing Writer
When your company's operating system runs on the majority of the world's PCs, it's essential to keep up with any potential security issues or vulnerabilities. Typically, Microsoft (News - Alert) saves the bulk of its major security updates for the second Tuesday of each month, also known as "Patch Tuesday."
This month's Patch Tuesday is no exception, of course, and Windows users can expect 10 bulletins, addressing 34 vulnerabilities across the entire Microsoft product line, as well as coding errors in Microsoft Office, Microsoft Lync and Windows Essentials. Most importantly, these updates will address two critical remote code execution vulnerabilities that impact all versions of Internet Explorer.
Microsoft already addressed this somewhat on Wednesday when it rolled out a temporary fix meant to disrupt attacks that are actively exploiting zero-day vulnerability in Internet Explorer 8, but the company said it is still testing a full patch for the issue.
Dustin Childs, group manager at Microsoft Trustworthy Computing, wrote on the company's security blog: "Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140, supplementing the currently available Fix."
Attacks relating to this vulnerability were first detected toward the end of April from attack code embedded on the Department of Labor website. This malicious code was setup on one of the site's Web pages accessible by the Department of Energy's employees. While this in itself is worrying news, the fact that Internet Explorer 8 is still used by around 43 percent of IE users, according to vulnerability management vendor Qualys (News - Alert), makes this vulnerability all the more serious.
The security bulletin will apparently address errors found by hackers in the most recent Pwn2Own contest back in March, as well. This includes an error discovered in Internet Explorer 10 by security firm VUPEN that could allow a hacker to bypass browser security restrictions and gain access to the Windows 8 system itself.
Edited by Alisen Downey