Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft to Patch Internet Explorer Zero-Day in Patch Tuesday Update

Microsoft is planning to release seven security bulletins next week for June’s Patch Tuesday.

Two of the bulletins are rated ‘Critical’, while five of the bulletins are classified as ‘Important.’ According to Microsoft, the updates cover a number of products including Microsoft Word, Windows, Microsoft Office and Internet Explorer.

Microsoft is planning to release seven security bulletins next week for June’s Patch Tuesday.

Two of the bulletins are rated ‘Critical’, while five of the bulletins are classified as ‘Important.’ According to Microsoft, the updates cover a number of products including Microsoft Word, Windows, Microsoft Office and Internet Explorer.

The IE update will address the zero-day vulnerability in Internet Explorer 8 that was revealed recently by HP’s Zero-Day Initiative. The issue is a use-after-free vulnerability that could enable a remote attacker to execute arbitrary code using JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by CMarkup::CreateInitial Markup function. So far, the vulnerability is not known to have been used in any attacks, according to Microsoft. 

“Today’s advanced notification outlines seven patches in next week’s June Patch Tuesday; two are critical and five important,” said Russ Ernst, director and product management at Lumension. “Affected software runs the gamut, as usual, and the first critical bulletin is for IE. Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21. We will have to wait and see if June Patch Tuesday is a cumulative update for the popular browser but odds are it will be. And if you’re still using XP, you’re out of luck.”

The second critical bulletin impacts Windows, Office and Microsoft Lync. According to Microsoft, it can be exploited to remotely execute code. Two other bulletins involving Windows and Lync Server are rated Important and can result in information disclosure. The other three bulletins rated Important deal with remote code execution, tampering and denial-of-service issues.

“Patch Tuesday, June 2014 advance notification once again falls under the shadow of looming OpenSSL issues,” said Ross Barrett, senior manager of security engineering at Rapid7, in reference to patches released today to address OpenSSL vulnerabilities. “These ones don’t have quite the catchy name as the last round, but they should not be ignored. That said, this is about the Microsoft advisories coming next week. There are seven of them, two critical, five important – one of which is the seldom seen ‘tampering’ type.”

The updates will be released June 10. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.