No Patch Tuesday Fix for Internet Explorer?

Microsoft is set to release its second major Patch Tuesday update of the year tomorrow (11 Febraury)  and it doesn’t look to be a heavy load.

The advance notification indicates that there will be five security bulletins released on Microsoft’s February Patch Tuesday, with only two of them rated as critical. For the first Patch Tuesday of 2014, Microsoft only had four security bulletins. In contrast, the December 2013 Patch Tuesday update had 11 security bulletins.

There’s nothing wrong with Internet Explorer

What is even more surprising is the fact that the advance notification does not call out any specific Microsoft Internet Explorer (IE)-related vulnerabilities. That doesn’t necessarily mean there won’t be any IE-related updates, as an IE update could emerge as a late addition or one could be embedded in one of the five bulletins.

In January’s advance notification, Microsoft similarly did not include any warning about an IE update. As it turned out, there were no updates for IE in the January Patch Tuesday either, which was the first time in a year that Microsoft did not patch IE.

A recent report from Hewlett-Packard noted that the company’s Zero Day Initiative (ZDI), which acquires vulnerabilities from researchers for payment, had more submissions against IE in 2013 than any other software product.

What’s also surprising about the lack of an IE update is that this is also the time when IE is likely to be heavily targeted. In the upcoming Pwn2own hacking competition (12 to 13 March), and researchers will be directly attacking IE. The Pwn2own contest is organized by HP’s ZDI and offers a $100,000 prize to the attacker who successfully exploits IE11 running on 64-bit Windows 8.1.

In past years, browser vendors have typically patched their respective technologies heavily ahead of the Pwn2own event in a bid to avoid public embarrassment. I suppose Microsoft still can patch IE in March to protect itself, but still, it is surprising not to see an IE-related bulletin manifesting yet in Microsoft’s patch purview.

Time will tell whether or not there is in fact a patch for IE. Time will also tell if Microsoft simply missed one and needs to race out an out-of-band patch. I’ve seen and heard no indication that the volume of IE-related research has slowed down, but given that we might very likely now see two months without a specific critical IE patch roll-up, Microsoft might well have turned the corner on its browser’s security stature.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Are you a security expert? Try our quiz!