- Jan 24, 2011
Sophos said:It is the second Tuesday of the month here on the West coast of North America and for once I am actually in town to do our monthly Patch Tuesday analysis.
33 separate CVEs (individual security related bugs) are fixed across ten patches affecting Internet Explorer, Windows, .NET, Lync, Publisher, Word, Visio and Windows Essentials.
The answer to everyone's question is "yes". Microsoft has released a fix for the IE 8 zero day vulnerable used in the US Department of Labor website compromise.
I had the opportunity to speak with the MSRC team in Redmond this morning and without a doubt the three most important updates are MS13-037, MS13-038 and MS13-039.
MS13-037 fixes eleven vulnerabilities in Internet Explorer.
Ten of these vulnerabilities could be exploited to allow remote code execution (RCE) and one could be exploited to disclose information that shouldn't be accessible.
This fixes the now two month old vulnerability (CVE-2013-2551) in IE 10 disclosed at this year's PWN2OWN competition at CanSecWest.
All of these vulnerabilities were privately disclosed, but for all we know the criminals might also be aware of how to exploit these flaws.
MS13-038 is the most anticipated as it fixes the zero-day flaw utilized in the attack on visitors to the US Department of Labor website. We know that our adversaries have knowledge of this flaw, so it is a very high priority for IE users.
It has been reported that this flaw only affects Internet Explorer 8, but that is only partly true. Some of the flawed code is also present in Internet Explorer 9, although Microsoft does not believe it can be exploited. It is certainly worth applying this fix anyhow, just in case the criminals have determined a way to exploit IE 9 users as well.
MS13-039 fixes a DoS (denial of service) vulnerability in the http.sys driver on Windows 8 and Windows Server 2012.
Read more: http://nakedsecurity.sophos.com/2013/05/14/may-patch-tuesday-critical-for-users-of-internet-explorer-and-web-based-services/