Microsoft rushes Explorer 8 patch release

Microsoft's Patch Tuesday for May addresses 10 security issues, three of them that need to be addressed immediately

By , IDG News Service |  Security

Just 11 days after issuing an advisory, Microsoft has released a patch for a bug in Internet Explorer 8 that bedeviled the U.S. Department of Labor earlier this month.

Microsoft's speedy release of this patch "is an outstanding example of Microsoft's responsiveness to the security community and their users," wrote Andrew Storms, director of security of operations for security software provider Tripwire, in an email statement.

This IE8 security bulletin (MS13-038) is one of 10 that Microsoft released Tuesday as part of its "Patch Tuesday" release of bug fixes and security bulletins that the company routinely issues on the second Tuesday of each month.

Microsoft marked MS13-038 as critical and the company, along with other security firms, are advising those still running IE8 to apply the fix immediately. Using an altered Labor Department Web page, attackers used this vulnerability in an attempt to install malicious code on any visitor's machine running IE8. Microsoft issued a temporary fix for this vulnerability last week.

The other critical bulletin, MS13-037, also affects Internet Explorer. This update resolves 11 issues that would have made it easy to inject malicious code into the browser from a specially crafted Web page, allowing the user to take control of a computer. The update covers the PWN2Own vulnerability, unearthed earlier this year.

Those running Windows Server 2012 should take an immediate look at MS MS13-039. This update fixes a vulnerability in the Microsoft Web IIS (Internet Information Services) that could be used in a Denial of Service (DoS) attack, through the use of an HTTP packet. Because it would be relatively simple to craft an attack using this vulnerability, organizations should apply this update as soon as possible, because exploits based on this vulnerability might start appearing in as little as a few weeks, according to Tripwire.

Ross Barrett, senior manager of security engineering at the security firm Rapid7, wrote in a statement that "while DoS attacks are generally considered second (or third) tier as far as risk, this could potentially be very disruptive to an organization, since many remote services and Active Directory integrations rely on http.sys," which is the networking subsystem used by IIS.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness