News

Microsoft Releases 2 'Critical' IE Fixes for May Patch

• By Chris Paoli
• 05/14/2013

Microsoft's May Security Update arrived today with 10 bulletins, two of which related "critical," that are aimed at fixing 33 flaws in various Microsoft software products.

The two critical fixes both address vulnerabilities in Internet Explorer and should be the top priority, according to Microsoft.

The first IE fix, bulletin MS13-037, is a cumulative update for all versions of Internet Explorer that fixes 11 privately reported vulnerabilities. The most severe of the 11 could lead to a remote code execution (RCE) attack if a specially crafted malicious Web site is opened with the Microsoft browser.

While the flaws associated with this item haven't been seen being exploited in the wild at the time of the patch release, Microsoft gave it a rating of 1 on its Microsoft Exploitability Index, meaning that the probability of attackers taking advantage of these vulnerabilities is extremely high.

Bulletin MS13-038 addresses a RCE flaw in Internet Explorer that received a "fix-it" from Microsoft last week. According to Microsoft, the vulnerability was believed to be exploited by the attackers that hacked the U.S. Department of Labor last week.

The turnaround of this bulletin in less than a week is a mixed blessing from Microsoft, according to Ross Barret, senior manager of security engineering at Rapid7.

"On one level, this is Microsoft at their security best," commented Barret in an e-mailed statement. "They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft's patching and support models. Compare this to Google's Chrome browser, which quietly patches itself as fixes become available and has no down-level supported 'old version,' which exposes millions of their users to risk."

Barret continued to say that by Microsoft's decision to continue to support older versions of Internet Explorer, resources and personnel used in fixing new vulnerabilities in older versions of the Web browser could be used to strengthen the security status of the latest version of Internet Explorer.

Important Items
The remaining eight items for the month are all rated "important" and include the following:

• MS13-039: Addresses an issue in Windows, specifically in the HTTP.sys, that could lead to a denial-of-service attack if a malicious HTTP packet is opened.  
• MS13-040: Blocks two spoofing vulnerabilities in Microsoft's .NET Framework that could be leveraged by attackers with a harmful XML file.
• MS13-041: This RCE flaw fix in Microsoft's Lync blocks attackers from sending malware through an invitation in Lync or Communicator.
• MS13-042: The fourth important item takes care of another RCE flaw -- this time in Microsoft Publisher (all versions).
• MS13-043: Fixes one privately reported flaw in Microsoft Word that could allow an RCE attack if a harmful file is opened or previewed in Microsoft Office.
• MS13-044: This Office fix takes care of an information disclosure flaw in Microsoft Visio.  
• MS13-045: Takes care of one privately reported information disclosure flaw in Windows Essentials that could be exploited with the help of a malicious URL.
• MS13-046: The final bulletin of the month resolves three flaws in Windows kernel-mode drivers that could lead to an elevation of privilege if a malicious app was run on a targeted system.

Many of these bulletins may require a system restart to be fully applied. More information on May security update can be found on the Microsoft Security Bulletin Summary page.