Microsoft fixes critical flaws in IE, but doesn’t patch another revealed by Google researcher Tavis Ormandy
Microsoft has issued a lighter-than-normal Patch Tuesday this month, but IT teams have been urged to fix a host of memory corruption bugs in Internet Explorer.
There were a total of five bulletins in June’s Patch Tuesday, affecting various Microsoft software other than IE, including Windows Print Spooler and the Windows Kernel.
Many of the Internet Explorer flaws, of which there are 19 in total, could be used to execute code remotely. That is “definitely something to worry about especially when it affects a browser”, said Ziv Mador, director of security research at Trustwave.
“Traditionally, we’ve seen exploit kits, such as the Blackhole Exploit Kit to implement exploits that target IE vulnerabilities. Fortunately, none of these appear to be added quite yet,” he added.
The flaws affect all versions of IE, from IE6 to IE10, running on all versions of Windows, from XP to RT.
“Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage. Apply this bulletin as quickly as possible on all workstations that use IE for Internet access,” added Wolfgang Kandek, CTO of Qualys.
Kandek said IT should also look at update MS13-051 for Microsoft Office 2003 on Windows and 2011 for Mac OS X, which has been exploited in the wild. The only reason Microsoft has rated it as important is because it requires user action, which is easy to inspire with some smart social engineering.
“It addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild. The attack arrives in an Office document and is triggered when the user opens the document,” he added.
Microsoft has not chosen to fix a bug recently detailed by Google researcher Tavis Ormandy, which could be used to gain control over a victim’s PC, and experts fear underground hackers are drawing together exploits.
Meanwhile, Adobe has addressed one vulnerability in its latest version of Flash.
What do you know about Internet security? Find out with our quiz!