Microsoft is prepping fixes for close to three dozen vulnerabilities for this month’s Patch Tuesday, including critical issues affecting Internet Explorer.
Tucked in among the 10 security bulletins is one aimed squarely at the Internet Explorer 8 zero-day vulnerability being exploited in the wild. Microsoft has already issued a “Fix It” tool this week to offer protection in lieu of a patch. According to the company, the issue is due to the way IE accesses an object in memory that has been deleted or that has not been properly allocated. By exploiting the issue, an attacker could potentially remotely execute code.
“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content,” Microsoft noted. “Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.”
The vulnerability has been at the center of a spate of water holing attacks that have roped in a number of sites, including the U.S. Department of Labor site.
All totaled, 33 vulnerabilities are expected to be fixed. Just two of the bulletins are rated ‘critical’, while the other eight are considered ‘important.’ Both critical bulletins address issues in Internet Explorer. The remaining bulletins are focused on issues in Windows, Microsoft Lync, Microsoft Office and Microsoft Windows Essentials.
“With ten bulletins, eight important this month, we have seen 45 to date in 2013, or 10 more bulletins than last year at this time,” said Paul Henry, security and forensic analyst at Lumension. “This tells me Microsoft is continuing to dig deeper into their code base to uncover lower level vulnerabilities. This is good news and I believe the trend toward higher numbers of important bulletins will continue given Microsoft’s apparent commitment to proactively discovering and patching security issues in their code.”
“As always, I recommend patching the important bulletins based on what programs you’re using,” he said. “Looking through the bulletins, Bulletin 4 is probably the most interesting, affecting all versions of Windows, from XP through Windows RT and Windows 8. This is a spoofing issue, which we don’t see very often in Microsoft bulletins. I’ll be very interested to see what this one turns out to be on Tuesday.”
*This story has been updated to reflect an error by Microsoft regarding the number of vulnerabilities set to be patched.