Untreated, Internet Explorer vulnerabilities could lead to remote code execution exploits
Microsoft is issuing critical security bulletins this Patch Tuesday that affect all versions of Internet Explorer and deal with an exploit that attackers are actively working.
Internet Explorer 6, 7, 8, 9 and 10 are the recipients of a patch that can prevent an exploit that enables remote code execution in the browser. This affects all Windows operating systems except XP.
“We always recommend upgrading to the latest version of any software,” says Paul Henry, security and forensic analyst with Lumension, “as that’s typically the most secure. If your system is compatible with IE 10 and you’re not running it already, upgrade now.”
The vulnerabilities being addressed may include one found in IE8 running on Windows XP machines that was dealt with yesterday by a hot-fix patch issued separately to deal with a zero-day attack that was actually being exploited in the wild against U.S. government agencies, Henry says. The same vulnerabilities are rated only moderate for machines running server rather than desktop operating systems.
“The patch will include fixes for other, less critical remote code execution vulnerabilities affecting Office and Lync,” says Lamar Bailey, director of security research and development for Tripwire. “These important vulnerabilities run the gamut, impacting DoS, spoofing, elevation of privilege and information disclosure.”
A second bulleting deals with another IE vulnerability believed to be one disclosed in March at the annual Pwn2Own hacking competition. It raised some eyebrows when the problem was not dealt with on Patch Tuesday last month. “Usually Microsoft releases Pwn2Own bug fixes in April, but this year other bug fixes must have been higher priority,” says Andrew Storms, director of security operations for Tripwire.
The rest of this month’s 10 bulletins are ranked important, a step down from critical, and like the two critical ones, three others address problems that can lead to remote code execution exploits. They affect mainly Office “The most widely installed is probably Bulletin 7, which is for Word 2003 and Word Viewer,” says Wolfgang Kandek, CTO of Qualys. “Bulletin 6 covers the Microsoft Publisher included in Office 2003, 2007 and 2010, and Bulletin 5 is for Microsoft’s instant messaging modules – Communicator 2007 and Lync 2010.”