Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday
"I'm surprised. I thought they wouldn't get this out until the end of next week as an out-of-band," Storms said, using the term for an emergency security update.
The other IE update, Bulletin 1, will likely include fixes for the vulnerabilities revealed a month ago at the Pwn2Own hacking contest, said Storms. His prediction was a repeat of last month's, when he bet that the Pwn2Own bugs would be patched April 9.
"The Pwn2Own fixes have got to be in there, come on now," said Storms, saying Microsoft could legitimately be accused of dropping the ball if it doesn't patch the vulnerabilities this round.
At March's Pwn2Own contest, a team from the French firm Vupen exploited two bugs to hack IE10 on Windows 8 Pro, winning $100,000 for demonstrating the exploits and providing proof-of-concept attack code.
Google and Mozilla patched the vulnerabilities disclosed in their Chrome and Firefox within hours of the contest, leaving Microsoft as the laggard among the brought-down browsers.
The scant information included in Microsoft's advanced notification of next week's updates makes it almost certain that the Vupen vulnerabilities will be patched by Bulletin 2.
"The first stage vulnerability that we used at Pwn2Own against Windows 8 and Internet Explorer 10 affects all versions of IE from IE6 to IE10, all versions of Windows from XP to Windows 8, and also Surface Pro and Surface RT," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions last month.
Bulletin 2 calls out that same list of browsers -- IE6, IE7, IE8, IE9 and IE10 -- as well as all versions of Windows, including Windows RT, the tablet OS that powers Microsoft's Surface RT hardware.
Other bulletins slated to ship on Tuesday will patch Microsoft Publisher 2003, 2007 and 2010; Word 2003; Visio 2003, 2007 and 2010; Microsoft Communicator 2007 R2; various components of Lync 2010 and Lync Server 2013; and Windows Essentials 2011.
That last program, actually a suite of desktop applications, was retired by Microsoft in 2012 prior to the launch of Windows 8.
Microsoft will release next week's 10 security updates on May 14 around 1 p.m. ET.
This article, Microsoft rushes IE8 zero-day fix into next week's Patch Tuesday, was originally published at Computerworld.com.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- Datacenter eGuide Read on to learn what technologies are essential for high-performing data centers today, and to get a glimpse of what the data center...
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts