Microsoft rushes Explorer 8 patch release
Just 11 days after issuing an advisory, Microsoft has released a patch for a bug in Internet Explorer 8 that bedeviled the U.S. Department of Labor earlier this month.
Microsoft’s speedy release of this patch “is an outstanding example of Microsoft’s responsiveness to the security community and their users,” wrote Andrew Storms, director of security of operations for security software provider Tripwire, in an email statement.
This IE8 security bulletin (MS13-038) is one of 10 that Microsoft released Tuesday as part of its “Patch Tuesday” release of bug fixes and security bulletins that the company routinely issues on the second Tuesday of each month.
Microsoft marked MS13-038 as critical and the company, along with other security firms, are advising those still running IE8 to apply the fix immediately. Using an altered Labor Department Web page, attackers used this vulnerability in an attempt to install malicious code on any visitor’s machine running IE8. Microsoft issued a temporary fix for this vulnerability last week.
The other critical bulletin, MS13-037, also affects Internet Explorer. This update resolves 11 issues that would have made it easy to inject malicious code into the browser from a specially crafted Web page, allowing the user to take control of a computer. The update covers the PWN2Own vulnerability, unearthed earlier this year.
Those running Windows Server 2012 should take an immediate look at MS MS13-039. This update fixes a vulnerability in the Microsoft Web IIS (Internet Information Services) that could be used in a Denial of Service (DoS) attack, through the use of an HTTP packet. Because it would be relatively simple to craft an attack using this vulnerability, organizations should apply this update as soon as possible, because exploits based on this vulnerability might start appearing in as little as a few weeks, according to Tripwire.
Ross Barrett, senior manager of security engineering at the security firm Rapid7, wrote in a statement that “while DoS attacks are generally considered second (or third) tier as far as risk, this could potentially be very disruptive to an organization, since many remote services and Active Directory integrations rely on http.sys,” which is the networking subsystem used by IIS.
A “successful exploit of this bug could have serious implications for public Web servers without some kind of inline [intrusion prevention system] in front of them. Essentially, any user could launch a simple attack and the server will essentially be offline,” Storms noted. He also noted that any copy of Microsoft Server 2012—not just those functioning as Web servers—could be running IIS, such as a server for Microsoft Exchange or SharePoint.
The seven remaining bulletins—none critical but all deemed important—address bugs in Microsoft’s Lync, Publisher, Word, Visio, Windows Essentials, .Net, and the Windows kernel.