Skip the navigation

Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday

May 9, 2013 03:06 PM ET

"I'm surprised. I thought they wouldn't get this out until the end of next week as an out-of-band," Storms said, using the term for an emergency security update.

The other IE update, Bulletin 1, will likely include fixes for the vulnerabilities revealed a month ago at the Pwn2Own hacking contest, said Storms. His prediction was a repeat of last month's, when he bet that the Pwn2Own bugs would be patched April 9.

"The Pwn2Own fixes have got to be in there, come on now," said Storms, saying Microsoft could legitimately be accused of dropping the ball if it doesn't patch the vulnerabilities this round.

At March's Pwn2Own contest, a team from the French firm Vupen exploited two bugs to hack IE10 on Windows 8 Pro, winning $100,000 for demonstrating the exploits and providing proof-of-concept attack code.

Google and Mozilla patched the vulnerabilities disclosed in their Chrome and Firefox within hours of the contest, leaving Microsoft as the laggard among the brought-down browsers.

The scant information included in Microsoft's advanced notification of next week's updates makes it almost certain that the Vupen vulnerabilities will be patched by Bulletin 2.

"The first stage vulnerability that we used at Pwn2Own against Windows 8 and Internet Explorer 10 affects all versions of IE from IE6 to IE10, all versions of Windows from XP to Windows 8, and also Surface Pro and Surface RT," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions last month.

Bulletin 2 calls out that same list of browsers -- IE6, IE7, IE8, IE9 and IE10 -- as well as all versions of Windows, including Windows RT, the tablet OS that powers Microsoft's Surface RT hardware.

Other bulletins slated to ship on Tuesday will patch Microsoft Publisher 2003, 2007 and 2010; Word 2003; Visio 2003, 2007 and 2010; Microsoft Communicator 2007 R2; various components of Lync 2010 and Lync Server 2013; and Windows Essentials 2011.

That last program, actually a suite of desktop applications, was retired by Microsoft in 2012 prior to the launch of Windows 8.

Microsoft will release next week's 10 security updates on May 14 around 1 p.m. ET.

This article, Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday, was originally published at Computerworld.com.

covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter @gkeizer, on Google+ or subscribe to Gregg's RSS feed Keizer RSS. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.



Our Commenting Policies