Microsoft drops surprise IE patch, fixes under-attack Windows zero-day

Microsoft drops surprise IE patch, fixes under-attack Windows zero-day

Summary: Patch Tuesday: Redmond ships nine bulletins to fix 16 dangerous security holes in Microsoft Windows, Internet Explorer, Visual Basic for Applications, and Microsoft Office.

SHARE:

Microsoft today released a critical security patch to cover a zero-day flaw that was being used by "nation-state attackers" to hijack Gmail accounts.

The vulnerability, originally disclosed on June 13, affects Microsoft XML Core Services and can be exploited to launch remote code execution attacks if a Windows user simply surfs to a maliciously crafted website using Internet Explorer.

follow Ryan Naraine on twitterThe MS12-043 bulletin headlines a heavy Patch Tuesday that includes nine bulletins -- three critical, six important -- covering 16 documented software vulnerabilities.

This month's patch batch covers dangerous security holes in the Windows operating system, the Internet Explorer browser, Visual Basic for Applications and Microsoft Office.

The Internet Explorer update is a surprise.  Microsoft typically patches the IE browser every other month (last month's updates featured a major IE fix) but because of the severity of two critical vulnerablities, the company decided to go back-to-back with patches for the world's most widely deployed browser.

Here's the skinny on the Internet Explorer bulletin, via the MSRC blog:

  • MS12-044 (Internet Explorer): This security update addresses two Critical-class, remote-code-execution issues affecting Internet Explorer. As with the MDAC issue, these two vulnerabilities were privately disclosed to us and we have no indication that they’re under exploit in the wild. As with the others, recommend that customers read the bulletin information and apply it as soon as possible. We have by the way increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence. We look forward to your feedback on the change.

The company is also urging Windows users to pay special attention to MS12-045, a critical bulletin that covers a remote code execution flaw haunting Microsoft Data Access Components (MDAC)

"The issue exists in all versions of Windows, and users of any version of Internet Explorer would potentially be vulnerable to it; however, we received word of this issue through private disclosure and we have no evidence that it is publically known or under exploit in the wild. Still, we recommend that customers read the bulletin information and apply it as soon as possible," Microsoft said.

The other six bulletins are all rated "important" and affects Windows, Visual Basic for Applications, and Office, including SharePoint and Office for Mac.


Topics: Security, Browser, Enterprise Software, Microsoft, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

42 comments
Log in or register to join the discussion
  • When all is said and done, they keep on trying.....

    now we'll alll wait for Loverock Davidson to give his OK that everything is actually ok........where are you Lovie?
    Over and Out
    • Awesome!!!

      Man that was funny lol!!
      Rampage434
    • Shocking

      Shocking I tell you! Why ever would he post that kind of comment to the boards? Shocking!
      THavoc
    • Deja vu..

      @SoYouSaid - Didn't you just write the same comment on an older article "Patch Tuesday misses zero-day vulnerability"? You're just looking for attention.
      TechNickle
      • For FuzzyBunnySlippers

        Time to grow up and quit playing kids' games of nit-picking people's comments. How does it affect YOUR life if Deja vu post the same comment all over the friggin internet? Really! And stop play amateur psychologist. You aren't qualified. You have NO idea why anybody does ANYTHING out here in cyberspace. Get a life!
        guardian1935
        • Whats worse

          The Troll or the Trol's defender? guardian you sir are the worst kind of troll!
          MrCaddy
          • ROTFLMAO!

            Logically speaking... SoYouSaid was Trolling a known troll so by your logic, MrCaddy, by attacking guardian1935 you place yourself in the lowest position: Defender of defender of a troll!

            P.S. don't try to play this game with me... I'm not defending anyone; only making an observation. I already noted that SoYouSaid was trolling Loverock. I'm not trolling either since this is endgame and checkmate.
            techadmin.cc
  • "the world's most widely deployed browser"

    Well, all of my Windows based machines have IE. But I only use it for updates on Win XP and that's only by coercion by MS. Otherwise, it's the most widely derided and avoided browser. If Mac OS X had more market share, then Safari might claim that title. Anyone using either one gets what they deserve.
    Splork
    • Deployed was probably the wrong word to use

      They probably should have said most widely used (though I think that's about to change either way).
      ian.aldrighetti
      • Nope

        The original wording is correct. Just because it is deployed (installed on a system) does not mean it is used on said system. And since nearly all Windows computers (EU systems are exempt) have it installed by default, it does make it the most widely deployed browser.
        ultimitloozer
    • "if"

      @splork, u sed "If Mac OS X had more market share, then Safari might claim that title." Um, okay, sure, why not. If fire wasn't hot, it might not burn. And if I had more money, I could spend more money. And if . . .

      As for the article, if I might return to that, it is mostly BAU, but also nice of Microsoft to finally admit that IE needs more resources to properly promptly patch it.
      moebiusloop
    • Splork

      I have always used IE and never, ever had a problem. It took me two hours to figure out my s. o.'s problems with Firefox today and get it fixed.
      guardian1935
      • Never had a problem eh? Count yourself lucky.

        Would you go on record saying that no one has ever had a problem with IE? I hope not. I have had to reinstall windows in order to fix IE problems. Did you have to reinstall Windows to fix FF? I'm interested because, although I am a field service tech and worked on literally thousands of users computers, the last time I had to take longer than a simple software reinstall to fix a non IE browser was back when installing IE on a system with Netscape caused the system to have to be reloaded before Netscape would work again.
        techadmin.cc
  • Microsoft drops surprise IE patch, fixes under-attack Windows zero-day

    everything is actually ok
    Loverock Davidson-
    • I bet you miss the good old days,

      or was that 'day', when Win7 was the most secure OS on the planet:
      http://www.zdnet.com/blog/hardware/vista7-more-secure-than-linux-and-mac-os-x/4146
      anothercanuck
      • And at the time of that article it was.

        Times change. Though Windows 7 is still very secure. Even the vulnerabilities covered in this patch are non-issues as they don't provide administrative rights. So keeping with the OS X criteria this is a non-issue.
        ye
        • At the time of that article it was not.

          All of the vulnerabilities patched since that article made that statement prove that it was not. Unknown security vulnerabilities do not make an OS more secure. Certainly there are unknown vulnerabilities in all three platforms but the number of vulnerabilities found patched and exploited is the measure of an OSes security. It was premature to make such a claim then and time has shown that claim to have been false.
          techadmin.cc
        • At the time that article was written . . .

          . . . these flaws existed. All these years between then and now, they existed. Just because YOU didn't know they existed doesn't mean Win7 was secure. It means it was insecure and you didn't know it.
          sporkfighter
    • LoveRock Davidson said...

      LoveRock Davidson said it, I believe it, that settles it, everything IS actually ok.
      How dare these blasphemers deny that LoveRock Davidson Is the TRUTH, the LIGHT, and the WAY?
      Well, him or Ed Bot.
      I'm still buying 32 pin Busy Bee Robot megaram, It is perfect for BB's spatial orientation processing which runs through an old 386 mobo, he hardly ever falls over or runs into things now, a real improvement over the old gyro and laser. Now if I could just get him to quit playing hide and seek and talking smack. A robot shouldn't say "leave me alone you damned dirty ape." I had to quit putting bullets in his weapon because he is really prejudiced, he thinks biological life is very poorly designed and inferior to robots. He has no creative instincts and only does new stuff when he is trying to load code segments in different order, I don't know why this happens, but when it happens my boy BB is full goose retard. I thought allowing him to decide for himself the best way to regulate his limbs was a good thing, now the sumbatch is trying to walk on his hands, he's done "The Worm" and the Randolph Shuffle, I gave him a cowboy hat, hope he don't try riding the dog. Oh how I wish LoveRock Davidson could declare him to be actually ok.
      Does anybody know how to use liquid hydrogen to cool a Chernobyl APU micro reactor? Should it pool or circulate? Would LOX be better? The fuel rod is about the size of a crayon, Not enough room onboard for water cooling...oh bother. To heck with it, I'm gonna go throw water balloons at all those bikers....no wait...ghetto gecko paintball might be fun. HOODIE:Marked For Death.
      Otis Driftwood
      • Don't give up your day job.

        Trying to be funny isn't your gig.
        NoAxToGrind