Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday
"I'm surprised. I thought they wouldn't get this out until the end of next week as an out-of-band," Storms said, using the term for an emergency security update.
The other IE update, Bulletin 1, will likely include fixes for the vulnerabilities revealed a month ago at the Pwn2Own hacking contest, said Storms. His prediction was a repeat of last month's, when he bet that the Pwn2Own bugs would be patched April 9.
"The Pwn2Own fixes have got to be in there, come on now," said Storms, saying Microsoft could legitimately be accused of dropping the ball if it doesn't patch the vulnerabilities this round.
At March's Pwn2Own contest, a team from the French firm Vupen exploited two bugs to hack IE10 on Windows 8 Pro, winning $100,000 for demonstrating the exploits and providing proof-of-concept attack code.
Google and Mozilla patched the vulnerabilities disclosed in their Chrome and Firefox within hours of the contest, leaving Microsoft as the laggard among the brought-down browsers.
The scant information included in Microsoft's advanced notification of next week's updates makes it almost certain that the Vupen vulnerabilities will be patched by Bulletin 2.
"The first stage vulnerability that we used at Pwn2Own against Windows 8 and Internet Explorer 10 affects all versions of IE from IE6 to IE10, all versions of Windows from XP to Windows 8, and also Surface Pro and Surface RT," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions last month.
Bulletin 2 calls out that same list of browsers -- IE6, IE7, IE8, IE9 and IE10 -- as well as all versions of Windows, including Windows RT, the tablet OS that powers Microsoft's Surface RT hardware.
Other bulletins slated to ship on Tuesday will patch Microsoft Publisher 2003, 2007 and 2010; Word 2003; Visio 2003, 2007 and 2010; Microsoft Communicator 2007 R2; various components of Lync 2010 and Lync Server 2013; and Windows Essentials 2011.
That last program, actually a suite of desktop applications, was retired by Microsoft in 2012 prior to the launch of Windows 8.
Microsoft will release next week's 10 security updates on May 14 around 1 p.m. ET.
This article, Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts