Microsoft fixes two critical IE security flaws, including 'nuke' zero-day

Microsoft fixes two critical IE security flaws, including 'nuke' zero-day

Summary: Get the coffee brewing. Microsoft's latest round of Patch Tuesday updates includes patches for ten security bulletins, with two considered as 'critical'.


Microsoft has dished out 10 security patches, which will fix a total of 33 vulnerabilities. In all, two of the bulletins will resolve 'critical' security flaws.

Included in the patches are eight important updates for Windows, Office, Lync, the .NET Framework, and Windows Essentials, which are hitting the usual update channels today, such as Windows and Microsoft Update.

Bulletin 1 (MS13-037) patches 11 privately reported vulnerabilities in all versions of Internet Explorer 6 and above, including for Windows 8 devices and Windows RT-based tablets. The most severe vulnerability would allow hackers to install malware on an affected machine through a specially-crafted webpage. Microsoft said lower user permissions would mitigate the damage caused by such malware. 

Bulletin 2 (MS13-038) relates to the recent "nuke-bug" flaw in Internet Explorer 8, which was discovered earlier this month.

The "watering hole" attacks were aimed at federal government employees at the U.S. Department of Labor and U.S. Department of Energy — the latter focuses on nuclear weapons research and testing. The DOL's website was compromised to direct visitors to a malware-ridden site, which triggered a drive-by download to install the Poison Ivy Trojan. The malware is linked to a hacker group based in China.

Microsoft said on Thursday that it could not guarantee that the bug would be patched as soon as Patch Tuesday. It released an emergency out-of-band "Fix It" patch the same day.

With the quick-fix now defunct, users of Windows XP and above should update their systems as soon as possible.

The other eight vulnerabilities rated as "important" could allow data and information disclosure, spoofing, remote code execution attacks, or an elevation of privileges on affected machines. 

MS130-039 affects both Windows 8 and RT, and Windows Server 2012 allow hackers to launch a denial-of-service attack against systems. By sending a specially crafted HTTP header to a vulnerable machine, it can cause it to spin into an infinite loop. 

Meanwhile, MS13-040 could result in spoofing if a .NET application receives a specially crafted XML file. Microsoft warned that the XML digital signature spoofing vulnerability could result in a hacker gaining access to "endpoint functions" as if they were an authenticated user.

MS13-046 affects all versions of Windows and warns of an elevation of privilege security flaw. While rated as 'important,' the attacker must be logged in and physically able to access the Windows machine.

MS13-042MS13-043, and MS13-044 all relate to Microsoft Office 2003, 2007 and 2010. Office 2013 is not affected. These flaws range from remote code executions that could lead to malware being installed, and information disclosures.

Next up, MS13-041 fixes a flaw in Lync that could allow malware injection. In the bulletin, Microsoft notes that the user would have to be convinced to accept an invitation that would allow an attacker to gain access to their system.

Finally, MS13-045 relates to Windows Essentials, the former Windows Live product suite, specifically Windows Writer. The flaw could allow the disclosure of information if a user opens Windows Writer using a specially crafted URL. Windows Writer proxy settings could be overridden and overwrite files accessible to the user on the target system. 

Microsoft also dished out a bevy of patches for its Surface tablet. ZDNet's Mary Jo Foley has more.

Advanced notifications for next month's Patch Tuesday are expected on June 4, with the security patches released a week later on June 11.

Topics: Security, Browser, Microsoft, Windows, Microsoft Surface

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Kudos to Microsoft

    This is fantastic news.
    • Howzat?

      how is this fantastic?
      • Because

        Patches are good.
        • Everybody patches, and all patches are equal.

          Nothing to see here folks, move along. Toddy has spoken.
          • Clearly my kudos have annoyed you

  • Kudos to Microsoft and toddbottom3 for his never ending PR work M$

    Microsoft has dished out 10 security patches, which will fix a total of 33 vulnerabilities. In all, two of the bulletins will resolve 'critical' security flaws = Just plain JUNK from Microsoft ....End Of Story.
    Over and Out
    • Patching means a product is junk?

      I just want to make sure I understand your position correctly.
      Michael Alan Goff
    • re:

      Yes, because as we all know, Linux and OS X were immaculately conceived and no line of code in them has ever been changed.

      You ABM dead enders really are getting desperate, aren't you?
      Sir Name
      • What?

        are you smoking and can I have some I need to leave reality .
  • Everybody does patches

    Not sure why this is any different then another Firefox version or a Google Chrome release. They all do them in different ways. I really think tech writing is more about making a mountain out of a molehill. This could simply be a blip on a blog. Microsoft releases X number of fixes today. End of story.
    • Not everyone

      My old Android phone is still on 4.0 and hasn't received a patch in over a year, not even security updates. There are still phone running round with Android 2.2 with known vulnerabilities, which the manufacturers / carriers refuse to patch.
  • Hmm???

    I just hope that we don't get what we got last time. Blue Screen anybody.
    • No blue screen in Windows8

      Just a huge : ( with "it appears that blah blah blah". See? The new UI IS even more user friendly now. It doesn't just give you a violation address but also a huge motivo too. Things are looking up.
  • Thank God for Linux

    And Linus Torvalds. The savior of the Desktop PC
  • Big Bang

    Microsoft tends to get the attention because it releases its patches in a big bang, my Linux servers receive plenty of patches, just they occur 'as and when' and auto install, so on-one gets excited about them.
  • Sorry..

    .. I don't really remember what IE stands for... Ah! I see... It's that blue E icon on my Start menu... What the heck is it for?!? Haven't ever used it... :)) Why should I as long as there's Firefox, Chrome, Opera... ?!? I think the last version I used to use was IE 6. What's that now? 9 I think... ?? or is it 10 already? Who cares anyway...?