Microsoft Releases 2 'Critical' IE Fixes for May Patch

Microsoft's May Security Update arrived today with 10 bulletins, two of which related "critical," that are aimed at fixing 33 flaws in various Microsoft software products.

The two critical fixes both address vulnerabilities in Internet Explorer and should be the top priority, according to Microsoft.

The first IE fix, bulletin MS13-037, is a cumulative update for all versions of Internet Explorer that fixes 11 privately reported vulnerabilities. The most severe of the 11 could lead to a remote code execution (RCE) attack if a specially crafted malicious Web site is opened with the Microsoft browser.

While the flaws associated with this item haven't been seen being exploited in the wild at the time of the patch release, Microsoft gave it a rating of 1 on its Microsoft Exploitability Index, meaning that the probability of attackers taking advantage of these vulnerabilities is extremely high.

Bulletin MS13-038 addresses a RCE flaw in Internet Explorer that received a "fix-it" from Microsoft last week. According to Microsoft, the vulnerability was believed to be exploited by the attackers that hacked the U.S. Department of Labor last week.

The turnaround of this bulletin in less than a week is a mixed blessing from Microsoft, according to Ross Barret, senior manager of security engineering at Rapid7.

"On one level, this is Microsoft at their security best," commented Barret in an e-mailed statement. "They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft's patching and support models. Compare this to Google's Chrome browser, which quietly patches itself as fixes become available and has no down-level supported 'old version,' which exposes millions of their users to risk."

Barret continued to say that by Microsoft's decision to continue to support older versions of Internet Explorer, resources and personnel used in fixing new vulnerabilities in older versions of the Web browser could be used to strengthen the security status of the latest version of Internet Explorer.

Important Items
The remaining eight items for the month are all rated "important" and include the following:

  • MS13-039: Addresses an issue in Windows, specifically in the HTTP.sys, that could lead to a denial-of-service attack if a malicious HTTP packet is opened.  
  • MS13-040: Blocks two spoofing vulnerabilities in Microsoft's .NET Framework that could be leveraged by attackers with a harmful XML file.
  • MS13-041: This RCE flaw fix in Microsoft's Lync blocks attackers from sending malware through an invitation in Lync or Communicator.
  • MS13-042: The fourth important item takes care of another RCE flaw -- this time in Microsoft Publisher (all versions).
  • MS13-043: Fixes one privately reported flaw in Microsoft Word that could allow an RCE attack if a harmful file is opened or previewed in Microsoft Office.
  • MS13-044: This Office fix takes care of an information disclosure flaw in Microsoft Visio.  
  • MS13-045: Takes care of one privately reported information disclosure flaw in Windows Essentials that could be exploited with the help of a malicious URL.
  • MS13-046: The final bulletin of the month resolves three flaws in Windows kernel-mode drivers that could lead to an elevation of privilege if a malicious app was run on a targeted system.

Many of these bulletins may require a system restart to be fully applied. More information on May security update can be found on the Microsoft Security Bulletin Summary page.

About the Author

Chris Paoli is the site producer for and


  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

  • How To Automate Tasks in Azure SQL Database

    Knowing how to automate tasks in the cloud will make you a more productive DBA. Here are the key concepts to understand about cloud scripting and a rundown of the best tools for automating code in Azure.

comments powered by Disqus