Microsoft rushes Explorer 8 patch release

Microsoft's Patch Tuesday for May addresses 10 security issues, three of them that need to be addressed immediately

Just 11 days after issuing an advisory, Microsoft has released a patch for a bug in Internet Explorer 8 that bedeviled the U.S. Department of Labor earlier this month.

Microsoft's speedy release of this patch "is an outstanding example of Microsoft's responsiveness to the security community and their users," wrote Andrew Storms, director of security of operations for security software provider Tripwire, in an email statement.

This IE8 security bulletin (MS13-038) is one of 10 that Microsoft released Tuesday as part of its "Patch Tuesday" release of bug fixes and security bulletins that the company routinely issues on the second Tuesday of each month.

Microsoft marked MS13-038 as critical and the company, along with other security firms, are advising those still running IE8 to apply the fix immediately. Using an altered Labor Department Web page, attackers used this vulnerability in an attempt to install malicious code on any visitor's machine running IE8. Microsoft issued a temporary fix for this vulnerability last week.

The other critical bulletin, MS13-037, also affects Internet Explorer. This update resolves 11 issues that would have made it easy to inject malicious code into the browser from a specially crafted Web page, allowing the user to take control of a computer. The update covers the PWN2Own vulnerability, unearthed earlier this year.

Those running Windows Server 2012 should take an immediate look at MS MS13-039. This update fixes a vulnerability in the Microsoft Web IIS (Internet Information Services) that could be used in a Denial of Service (DoS) attack, through the use of an HTTP packet. Because it would be relatively simple to craft an attack using this vulnerability, organizations should apply this update as soon as possible, because exploits based on this vulnerability might start appearing in as little as a few weeks, according to Tripwire.

Ross Barrett, senior manager of security engineering at the security firm Rapid7, wrote in a statement that "while DoS attacks are generally considered second (or third) tier as far as risk, this could potentially be very disruptive to an organization, since many remote services and Active Directory integrations rely on http.sys," which is the networking subsystem used by IIS.

A "successful exploit of this bug could have serious implications for public Web servers without some kind of inline [intrusion prevention system] in front of them. Essentially, any user could launch a simple attack and the server will essentially be offline," Storms noted. He also noted that any copy of Microsoft Server 2012 -- not just those functioning as Web servers -- could be running IIS, such as a server for Microsoft Exchange or SharePoint.

The seven remaining bulletins -- none critical but all deemed important -- address bugs in Microsoft's Lync, Publisher, Word, Visio, Windows Essentials, .Net, and the Windows kernel.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecuritypatch managementExploits / vulnerabilities

More about Andrew Corporation (Australia)IDGMicrosoftRapid7TripwireVisio

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joab Jackson

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place