The Inquirer-Home

Microsoft patches zero-day vulnerability in Internet Explorer

With May's Patch Tuesday release
Wed May 15 2013, 12:20
Microsoft Internet Explorer 9 logo

SOFTWARE HOUSE Micrososft released its monthly security update on Tuesday that fixes a critical flaw in Internet Explorer (IE).

Users are being advised to update their systems following the release of Microsoft's monthly Patch Tuesday security update, as the May edition includes a critical fixes for a zero-day vulnerability in IE and one other flaw rated by the company as a critical security risk.

If exploited, the flaws could allow an attacker to remotely execute code on a targeted system.

Microsoft has listed the critical patches as a top deployment priority, a sentiment shared by security experts following the release.

Marc Maiffret, chief technology officer for Beyondtrust, told The INQUIRER that the scope of the flaws, which impacted every current supported version of both IE and Windows, along with the zero-day status make the deployments an important fix for all users.

Maiffret noted that while an alternative browser such as Chrome or Firefox could mitigate some of the risk, users should still keep their systems patched in case IE is still set as the default application for some files and applications.

"We have a lot of customers that do run Chrome," he said. "The thing you want to make sure of is that you don't just have Chrome installed alongside but make sure it is the default browser, and not just the browser on the desktop."

Other security issues addressed in the update include eight bulletins rated by Microsoft as important security risks. The flaws include remote code execution as well as a denial of service and another elevation of privilege flaw which could prove to be bigger issues for some customers.

Maiffret said that for administrators of Windows Server 2012 systems, a flaw in the HTTP.sys component could be targeted to perform denial of service attacks, possibly crippling a system and preventing user access for the duration of the attack. The fix has been classified as a top deployment priority for Server 2012.

Similarly, a flaw in Windows XP could be exploited in conjunction with other attacks. Maiffret, who does not recommend running the dated platform in a business setting due to security concerns, explained that an attacker could potentially target one of the Internet Explorer flaws to access a system with local user clearance and then target the elevation privilege flaw to gain total control over the system and potentially wreak further havoc. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015