Microsoft fixes two critical IE security flaws, including 'nuke' zero-day
Microsoft has dished out 10 security patches, which will fix a total of 33 vulnerabilities. In all, two of the bulletins will resolve 'critical' security flaws.
Read this
Included in the patches are eight important updates for Windows, Office, Lync, the .NET Framework, and Windows Essentials, which are hitting the usual update channels today, such as Windows and Microsoft Update.
Bulletin 1 (MS13-037) patches 11 privately reported vulnerabilities in all versions of Internet Explorer 6 and above, including for Windows 8 devices and Windows RT-based tablets. The most severe vulnerability would allow hackers to install malware on an affected machine through a specially-crafted webpage. Microsoft said lower user permissions would mitigate the damage caused by such malware.
Bulletin 2 (MS13-038) relates to the recent "nuke-bug" flaw in Internet Explorer 8, which was discovered earlier this month.
The "watering hole" attacks were aimed at federal government employees at the U.S. Department of Labor and U.S. Department of Energy — the latter focuses on nuclear weapons research and testing. The DOL's website was compromised to direct visitors to a malware-ridden site, which triggered a drive-by download to install the Poison Ivy Trojan. The malware is linked to a hacker group based in China.
Microsoft said on Thursday that it could not guarantee that the bug would be patched as soon as Patch Tuesday. It released an emergency out-of-band "Fix It" patch the same day.
With the quick-fix now defunct, users of Windows XP and above should update their systems as soon as possible.
The other eight vulnerabilities rated as "important" could allow data and information disclosure, spoofing, remote code execution attacks, or an elevation of privileges on affected machines.
MS130-039 affects both Windows 8 and RT, and Windows Server 2012 allow hackers to launch a denial-of-service attack against systems. By sending a specially crafted HTTP header to a vulnerable machine, it can cause it to spin into an infinite loop.
Meanwhile, MS13-040 could result in spoofing if a .NET application receives a specially crafted XML file. Microsoft warned that the XML digital signature spoofing vulnerability could result in a hacker gaining access to "endpoint functions" as if they were an authenticated user.
MS13-046 affects all versions of Windows and warns of an elevation of privilege security flaw. While rated as 'important,' the attacker must be logged in and physically able to access the Windows machine.
MS13-042, MS13-043, and MS13-044 all relate to Microsoft Office 2003, 2007 and 2010. Office 2013 is not affected. These flaws range from remote code executions that could lead to malware being installed, and information disclosures.
Next up, MS13-041 fixes a flaw in Lync that could allow malware injection. In the bulletin, Microsoft notes that the user would have to be convinced to accept an invitation that would allow an attacker to gain access to their system.
Finally, MS13-045 relates to Windows Essentials, the former Windows Live product suite, specifically Windows Writer. The flaw could allow the disclosure of information if a user opens Windows Writer using a specially crafted URL. Windows Writer proxy settings could be overridden and overwrite files accessible to the user on the target system.
Microsoft also dished out a bevy of patches for its Surface tablet. ZDNet's Mary Jo Foley has more.
Advanced notifications for next month's Patch Tuesday are expected on June 4, with the security patches released a week later on June 11.