Patch Tuesday: Microsoft to fix one critical Internet Explorer flaw

Patch Tuesday: Microsoft to fix one critical Internet Explorer flaw

Summary: In June's upcoming Patch Tuesday, the software giant has only one "critical" flaw up its sleeve, with the remaining four rated "important."

(Image: ZDNet, via CNET)

It looks like June will be a relatively quiet month for security patches, with Microsoft set to dish out just one fix for a "critical" flaw in Internet Explorer. 

The software giant said in its latest advanced security bulletin that it has five security vulnerability bulletins, including an Internet Explorer zero-day flaw that is currently being exploited in the wild by hackers and malware writers.

All versions of Internet Explorer 6 and above, including IE10 on Windows 7 and Windows 8 devices — which include Surface and Surface RT tablets — and Windows Server products, will require patching as soon as possible. 

The zero-day flaw in Internet Explorer allows a remote code execution attack, in which a hacker can exploit the flaw to install malicious software on an affected computer.

As with all advanced notifications, Microsoft doesn't want to tip off the hackers with exactly what the flaw is, but more details will be released next week after the patches are released.

It comes at a delicate time for Microsoft, which in recent weeks was embroiled in a public rival security street fight with Google. A security expert working at the search giant publicly disclosed the flaw instead of reporting it directly to Microsoft. Instead, he published the vulnerability on a public disclosure list.

It's not clear if the patch for this privilege escalation flaw will make it in to the June round-up of security updates.

The other four bulletins are rated "important," and affect Windows and Office. In all, the 23 individual flaws range from information disclosure, an elevation of user privileges, denial of service attacks, and remote code execution, which can allow malware onto an affected device.

In a rare update, Microsoft will update its Office for Mac 2011 software — the version of the productivity suite for Apple OS X-based machines — with an "important" rated update. The bulletin will also include a patch for Office 2003 (Service Pack 3) for Windows machines.

Microsoft will release its latest round of security updates and patches on June 7, and those will be available on all the usual update channels.

Topics: Security, Browser, Windows, Windows 8

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sad state of affairs...

    "All versions of Internet Explorer 6 and above..."
    Is this EVER going to stop?
    It appears that, notwithstanding assurances from the powers-to-be, "flaws" keep popping up.
    How many years since IE6 was released?
    And even the latest version has the "flaw"?
    So much for quality control.
    • sure, when all programmers are perfect!

      I guess only Microsoft products have flaws, as we NEVER see updates from other vendors! /Sarcasm
      Come on, at lease there are efforts. And, no one really should be using IE6 at this point.
    • Their quality control is top-notch, actually.

      The only reason why so many "flaws" keep popping up is because their product is the one most targeted.

      It's much easier to find bugs when you have a large market-share than when you don't.

      Anyhow, it's more of MS' wording than anything.

      What they call a critical flaw, other companies call a bug.
      • let's see

        remote code execution "bug" in Internet Explorer allowing installation of something on the machine is a serious business, esp. when it is not just a theory and being exploited in the wild. This is a serious issue in my book.
        Now with your "a large market-share" argument, it's exactly what we are told when pointing at this in the OS sense. This argument cannot be more flawed here, since IE's share is undeniably less than those of Chrome and Firefox combined. However, it's been quite long I heard of remote execution exploits on those browsers.
      • When did this large market-share start?

        "It's much easier to find bugs when you have a large market-share than when you don't."

        The Microsoft OWC two-year vulnerability patch

        Microsoft finally catches the eight year bug
    • Actually

      The big difference between IE and Firefox is that Microsoft is still supporting IE 6 and Mozilla isn't even supporting Firefox 3.6 anymore.

      I chose Firefox at random, but my point was that we don't know if other companies have the same problem because they cut support quicker.
      Michael Alan Goff
      • And they're pretty stupid supporting IE6

        After 12 years they need to kill it big time. The biggest malware attractor in history.
        • I agree

          But imagine how much backlash they'd get from the people who use it.

          They'd be lambasted for not supporting "their customers" in the way that some people have attacked them for not supporting XP after 2014.

          It's time to move on, people.
          Michael Alan Goff
          • Let them backlash

            However I welcome any lawsuit they file against M$
          • Of course you do

            I'd imagine there wouldn't be many lawsuits, just complaining... which isn't so bad.

            Microsoft just needs to pull the plug on IE 6 patching. Maybe 7 as well. I wonder if they can take those people and use them to make 8-10 (and soon 11) even better.
            Michael Alan Goff
        • ie

          You got that right.
    • Well, it IS Microsoft.

      So don't act so surprised. Imagine the XP flaws that could pop up after April 8th, 2014, when Microsoft "officially" discontinues XP after the third time.
      Richard Estes
      • Microsoft is going down

        Keep XP out of it.
    • It just shows that Microsoft repeats mistakes again and again...

      IF Internet Exploder were truly as revised as the company shills are wanting us to believe, we would not see the same faults in every working version of it. Yet, it happens nearly every time Patch Tuesday comes, the same mistakes over many versions of product.
  • One eyed pirate again anxiously awaiting "Patch Tuesday!"

    Ta dum ta dum!:)
  • If the flaw is that old ...

    it has not caused any symptoms until now, and is in some code that has been copied unchanged over all these versions. Or else they KNEW about it all along and never bothered to fix it. In that case, for WHOM did they choose to leave it until now?
    • How can you possibly know that?

      Someone could easily have been quietly exploiting a 10+ year old unpatched critical bug. That someone need only be careful enough and tidy enough not to attract any attention.

      The scary part is that the I.E. codebase still has so many unpatched critical bugs that we keep finding at least one for each Patch Tuesday.

      "All versions of Internet Explorer 6 and above, including IE10 on Windows 7 and Windows 8 devices — which include Surface and Surface RT tablets — and Windows Server products, will require patching as soon as possible. "

      I read that and weep! And then I'm glad I don't use I.E.
      • Best to worry about vulns with exploits that are known to be in-the-wild

        And are not yet patched. Like the one for a Microsoft Office vulnerability that will be patched next Tuesday. More here:

        "Microsoft to tackle under-attack Office bug next week

        Is this ITW exploit for Office 2003, Office for Mac 2011, or both? In any case, best to be extra careful opening Microsoft Office email attachments in the meantime.

        P.S. Having written this, next week's patch for IE should be promptly applied as the vuln is remotely exploitable (read will likely be used in future drive-by attacks ).
        Rabid Howler Monkey
        • Addendum

          In the ZDNet article, it's stated that the Internet Explorer vuln "is currently being exploited in the wild by hackers and malware writers". Whereas the ComputerWorld article I referenced in the above post indicates that it is a Microsoft Office vuln that is currently being exploited in-the-wild. This was verified via an email from a security and forensic analyst at Lumension.
          Rabid Howler Monkey
          • Maybe they're BOTH being exploited in the wild, then?

            Please cite a verifiable source, if you're going to claim that this IE bug isn't being exploited already.