Computerworld - Microsoft on Tuesday patched 26 vulnerabilities, including one in Internet Explorer (IE) that's already being exploited. The company also warned customers of a new zero-day attack and quashed yet another instance of a bug that the Duqu intelligence-gathering Trojan leveraged.
The software maker also ditched one security update at the last minute and substituted another in its place, probably because the second was more serious.
Of Tuesday's seven security updates, three were rated "critical," Microsoft's top-most threat ranking, while the other four were marked "important," the next-most-serious label.
The 26 vulnerabilities -- one more than Microsoft last week told users to expect -- included 10 critical, 14 important and two judged "moderate" in the company's four-step scoring system.
Independent researchers almost unanimously pegged MS12-037 as the update Windows users should grab first.
The 13-bug patch collection affects all versions of IE, including IE10 on Windows 8 Consumer Preview, the February sneak peak that was superseded by the Review Preview two weeks ago.
"It's always important to get an IE update deployed," said Jason Miller, manager of research and development at VMware, as he cited the browser's popularity, especially in business, and thus the huge number of possible victims.
Microsoft admitted that one of the baker's dozen was already being exploited by hackers, raising the importance of applying the update immediately. "Microsoft is aware of limited attacks attempting to exploit the vulnerability," stated the company's advisory, which divulged no other details of the ongoing exploits. The vulnerability affects only IE8, the 2009 version that remains the most widely used version of Microsoft's browser.
A second vulnerability patched by MS12-037 has been publicly disclosed, Microsoft said.
Also included in the 13 was a critical vulnerability that French firm Vupen Security exploited to hack IE9 at March's Pwn2Own contest, where researchers face off against browsers for cash prizes. For its efforts, which featured a hack not only of IE9 but also Google's Chrome, the Vupen team took home $60,000.
Last week, Andrew Storms, director of security operations at nCircle Security, bet that the Vupen bug would be patched this month. But Tuesday, he said it was too close to call between the IE update and a rival, MS12-036, for first-to-fix honors.
"Certainly, [MS12-036] makes it to the top of the worrisome list," said Storms.
That update, also rated critical, patches just one vulnerability in the Remote Desktop Protocol (RDP), a Windows component that lets users remotely access a PC or server. RDP is frequently used by corporate help desks, off-site users and IT administrators to manage servers at company data centers and those the enterprise farms out to cloud-based service providers.
Free Insider Guide
We are back at it again with 10 updates in Microsoft's May edition of Patch Tuesday. Two are rated Critical, with the remaining eight rated as Important. This month's Patch Tuesday is really a story of a few steps forward followed by a step back, after the release of a seriously flawed patch released in last month's April Patch Tuesday update, which caused Microsoft to revoke, and then subsequently re-release the update. more
Copyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
