Surprise! May's Microsoft Patch Tuesday Fixes IE Zero-Day
CREDIT: James M Phelps, Jr / Shutterstock.com
Next week's Patch Tuesday, Microsoft's monthly security update, will feature 10 patches, two of which are critical, including one that permanently fixes a recently discovered Internet Explorer 8 bug used to target nuclear researchers.
Both critical patches fix vulnerabilities in Windows and Internet Explorer 8 that could be leveraged by attackers to remotely launch malicious code.
The other eight patches, according to Microsoft's security bulletin, fix an information-disclosure problem in Microsoft Office and the freeware package Windows Essentials; a remote code-execution bug and privilege-elevation flaw in Windows; and flaws in the Lync video-conferencing system and the .NET framework.
The Internet Explorer 8 zero-day exploit, which was not known to Microsoft or to the computer-security industry before it was used by hackers to target U.S. federal atomic researchers, was given a stopgap fix earlier this week because of its use in targeted attacks against employees in Western aerospace, security and defense industries.
The zero-day exploit — an exploit of a computer-security flaw against which no protection was available at the time of disclosure — was only revealed to Microsoft last week. Fixing such issues usually takes several weeks.
The other critical bulletin addresses other Internet Explorer issues exposed during the Pwn2Own hacking contest in Vancouver, British Columbia, in March.
As it has done for several months, Adobe will release its own set of patches in conjunction with Microsoft's updates.
This month's Adobe bulletin fixes a zero-day exploit for ColdFusion that may have been involved in the theft of hundreds of thousands of driver's-license records and Social Security numbers from the court systems of Washington state.
Windows users should set Windows Update in the Control Panel so that security updates are automatically downloaded and installed. Adobe patches usually need to be installed manually.