Microsoft drops surprise IE patch, fixes under-attack Windows zero-day

Summary:Patch Tuesday: Redmond ships nine bulletins to fix 16 dangerous security holes in Microsoft Windows, Internet Explorer, Visual Basic for Applications, and Microsoft Office.

Microsoft today released a critical security patch to cover a zero-day flaw that was being used by "nation-state attackers" to hijack Gmail accounts.

The vulnerability, originally disclosed on June 13, affects Microsoft XML Core Services and can be exploited to launch remote code execution attacks if a Windows user simply surfs to a maliciously crafted website using Internet Explorer.

follow Ryan Naraine on twitter
The MS12-043 bulletin headlines a heavy Patch Tuesday that includes nine bulletins -- three critical, six important -- covering 16 documented software vulnerabilities.

This month's patch batch covers dangerous security holes in the Windows operating system, the Internet Explorer browser, Visual Basic for Applications and Microsoft Office.

The Internet Explorer update is a surprise.  Microsoft typically patches the IE browser every other month (last month's updates featured a major IE fix) but because of the severity of two critical vulnerablities, the company decided to go back-to-back with patches for the world's most widely deployed browser.

Here's the skinny on the Internet Explorer bulletin, via the MSRC blog:

  • MS12-044 (Internet Explorer): This security update addresses two Critical-class, remote-code-execution issues affecting Internet Explorer. As with the MDAC issue, these two vulnerabilities were privately disclosed to us and we have no indication that they’re under exploit in the wild. As with the others, recommend that customers read the bulletin information and apply it as soon as possible. We have by the way increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence. We look forward to your feedback on the change.

The company is also urging Windows users to pay special attention to MS12-045, a critical bulletin that covers a remote code execution flaw haunting Microsoft Data Access Components (MDAC)

"The issue exists in all versions of Windows, and users of any version of Internet Explorer would potentially be vulnerable to it; however, we received word of this issue through private disclosure and we have no evidence that it is publically known or under exploit in the wild. Still, we recommend that customers read the bulletin information and apply it as soon as possible," Microsoft said.

The other six bulletins are all rated "important" and affects Windows, Visual Basic for Applications, and Office, including SharePoint and Office for Mac.


Topics: Security, Browser, Enterprise Software, Microsoft, Operating Systems, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.