Microsoft drops surprise IE patch, fixes under-attack Windows zero-day

Patch Tuesday: Redmond ships nine bulletins to fix 16 dangerous security holes in Microsoft Windows, Internet Explorer, Visual Basic for Applications, and Microsoft Office.
Written by Ryan Naraine, Contributor

Microsoft today released a critical security patch to cover a zero-day flaw that was being used by "nation-state attackers" to hijack Gmail accounts.

The vulnerability, originally disclosed on June 13, affects Microsoft XML Core Services and can be exploited to launch remote code execution attacks if a Windows user simply surfs to a maliciously crafted website using Internet Explorer.

The MS12-043 bulletin headlines a heavy Patch Tuesday that includes nine bulletins -- three critical, six important -- covering 16 documented software vulnerabilities.

This month's patch batch covers dangerous security holes in the Windows operating system, the Internet Explorer browser, Visual Basic for Applications and Microsoft Office.

The Internet Explorer update is a surprise.  Microsoft typically patches the IE browser every other month (last month's updates featured a major IE fix) but because of the severity of two critical vulnerablities, the company decided to go back-to-back with patches for the world's most widely deployed browser.

Here's the skinny on the Internet Explorer bulletin, via the MSRC blog:

  • MS12-044 (Internet Explorer): This security update addresses two Critical-class, remote-code-execution issues affecting Internet Explorer. As with the MDAC issue, these two vulnerabilities were privately disclosed to us and we have no indication that they’re under exploit in the wild. As with the others, recommend that customers read the bulletin information and apply it as soon as possible. We have by the way increased our Internet Explorer resources to the point where we will be able to release an update during any month instead of on our previous, bi-monthly cadence. We look forward to your feedback on the change.

The company is also urging Windows users to pay special attention to MS12-045, a critical bulletin that covers a remote code execution flaw haunting Microsoft Data Access Components (MDAC)

"The issue exists in all versions of Windows, and users of any version of Internet Explorer would potentially be vulnerable to it; however, we received word of this issue through private disclosure and we have no evidence that it is publically known or under exploit in the wild. Still, we recommend that customers read the bulletin information and apply it as soon as possible," Microsoft said.

The other six bulletins are all rated "important" and affects Windows, Visual Basic for Applications, and Office, including SharePoint and Office for Mac.

Editorial standards