Patch Tuesday leaves Internet Explorer zero day untouched

There are only two Critical security bulletins this month, but a recently discovered Internet Explorer zero day remains vulnerable.

It's Patch Tuesday time again. This month Microsoft has unleashed nine new security bulletins. Nine is a reasonably high number of updates, however, only two of them are rated as Critical. So, it's actually a little more laid back than most months, but there's still cause for concern.

There are seven security bulletins rated as Important, which affect a range of platforms and services including Active Directory, the Windows antimalware client, and the Windows Kernel. The two Critical security bulletins apply to Internet Explorer and Remote Desktop. Be prepared--most of the patches require a reboot.

Wolfgang Kandek, CTO of Qualys, suggests that IT admins focus on Internet Explorer first. "This month, the most important bulletin to apply to your infrastructure is MS13-028, which contains a new release of Internet Explorer (IE) covering all versions of the browser starting with IE6 going to IE10, and also including Windows RT, the operating system for mobile devices and tablets."

Andrew Storms, director of security operations for nCircle (a Tripwire company), agrees that Internet Explorer deserves attention, but adds that Internet Explorer lacks its usual "patch immediately" urgency. Microsoft has assigned the underlying IE flaws with an exploit index rating of two, which indicates that Microsoft believes they are exceptionally difficult to exploit, and there's not likely to be a successful exploit in the next 30 days.

It's not all sunshine and roses, though, according to Marc Maiffret, CTO of BeyondTrust. First, he notes that the flaws addressed in the Internet Explorer update affect all supported versions of Internet Explorer, and warns that attackers will be working diligently to develop an exploit with such a large pool of potential targets.

Maiffret also points out that the Microsoft update does not address a recently-discovered vulnerability in Internet Explorer 9, which could enable an attacker to bypass security controls and execute additional exploits.

As always, all relevant patches should be applied as soon as possible. Once a patch is released, attackers can reverse-engineer it to figure out how the vulnerability works and develop an exploit for it. It's a race to get your PCs patched before attackers craft an exploit, and the reality is that most malware attacks use exploits against known vulnerabilities for which patches have already been developed.

Consumers and small businesses should have Automatic Updates enabled. Businesses that need to test and validate patches before deploying them should get to work.

As an aside, Adobe also released updates today for ColdFusion, Flash Player, and Shockwave Player.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityWindowsadobesoftwareoperating systemsbusiness security

More about Adobe SystemsAndrew Corporation (Australia)MicrosoftnCircleQualysTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place