Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday
"I'm surprised. I thought they wouldn't get this out until the end of next week as an out-of-band," Storms said, using the term for an emergency security update.
The other IE update, Bulletin 1, will likely include fixes for the vulnerabilities revealed a month ago at the Pwn2Own hacking contest, said Storms. His prediction was a repeat of last month's, when he bet that the Pwn2Own bugs would be patched April 9.
"The Pwn2Own fixes have got to be in there, come on now," said Storms, saying Microsoft could legitimately be accused of dropping the ball if it doesn't patch the vulnerabilities this round.
At March's Pwn2Own contest, a team from the French firm Vupen exploited two bugs to hack IE10 on Windows 8 Pro, winning $100,000 for demonstrating the exploits and providing proof-of-concept attack code.
Google and Mozilla patched the vulnerabilities disclosed in their Chrome and Firefox within hours of the contest, leaving Microsoft as the laggard among the brought-down browsers.
The scant information included in Microsoft's advanced notification of next week's updates makes it almost certain that the Vupen vulnerabilities will be patched by Bulletin 2.
"The first stage vulnerability that we used at Pwn2Own against Windows 8 and Internet Explorer 10 affects all versions of IE from IE6 to IE10, all versions of Windows from XP to Windows 8, and also Surface Pro and Surface RT," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions last month.
Bulletin 2 calls out that same list of browsers -- IE6, IE7, IE8, IE9 and IE10 -- as well as all versions of Windows, including Windows RT, the tablet OS that powers Microsoft's Surface RT hardware.
Other bulletins slated to ship on Tuesday will patch Microsoft Publisher 2003, 2007 and 2010; Word 2003; Visio 2003, 2007 and 2010; Microsoft Communicator 2007 R2; various components of Lync 2010 and Lync Server 2013; and Windows Essentials 2011.
That last program, actually a suite of desktop applications, was retired by Microsoft in 2012 prior to the launch of Windows 8.
Microsoft will release next week's 10 security updates on May 14 around 1 p.m. ET.
This article, Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts