Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft to Patch Internet Explorer Zero-Day in Patch Tuesday Update

Microsoft is planning to release seven security bulletins next week for June’s Patch Tuesday.

Two of the bulletins are rated ‘Critical’, while five of the bulletins are classified as ‘Important.’ According to Microsoft, the updates cover a number of products including Microsoft Word, Windows, Microsoft Office and Internet Explorer.

Microsoft is planning to release seven security bulletins next week for June’s Patch Tuesday.

Two of the bulletins are rated ‘Critical’, while five of the bulletins are classified as ‘Important.’ According to Microsoft, the updates cover a number of products including Microsoft Word, Windows, Microsoft Office and Internet Explorer.

The IE update will address the zero-day vulnerability in Internet Explorer 8 that was revealed recently by HP’s Zero-Day Initiative. The issue is a use-after-free vulnerability that could enable a remote attacker to execute arbitrary code using JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by CMarkup::CreateInitial Markup function. So far, the vulnerability is not known to have been used in any attacks, according to Microsoft. 

“Today’s advanced notification outlines seven patches in next week’s June Patch Tuesday; two are critical and five important,” said Russ Ernst, director and product management at Lumension. “Affected software runs the gamut, as usual, and the first critical bulletin is for IE. Last month, IE saw a lot of activity, first with the out-of-band patch released on May 1, a point fix released as part of May’s Patch Tuesday, and a vulnerability that was publicly disclosed by the Zero-Day Initiative on May 21. We will have to wait and see if June Patch Tuesday is a cumulative update for the popular browser but odds are it will be. And if you’re still using XP, you’re out of luck.”

The second critical bulletin impacts Windows, Office and Microsoft Lync. According to Microsoft, it can be exploited to remotely execute code. Two other bulletins involving Windows and Lync Server are rated Important and can result in information disclosure. The other three bulletins rated Important deal with remote code execution, tampering and denial-of-service issues.

“Patch Tuesday, June 2014 advance notification once again falls under the shadow of looming OpenSSL issues,” said Ross Barrett, senior manager of security engineering at Rapid7, in reference to patches released today to address OpenSSL vulnerabilities. “These ones don’t have quite the catchy name as the last round, but they should not be ignored. That said, this is about the Microsoft advisories coming next week. There are seven of them, two critical, five important – one of which is the seldom seen ‘tampering’ type.”

The updates will be released June 10. 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.