Patch Tuesday: Microsoft fixes Internet Explorer for the second time this month

Microsoft is issuing the second critical patch this month for Internet Explorer, but this time won't stray from its dictum not to support versions that run with Windows XP.

The IE bulletin is ranked critical, and if the vulnerabilities it addresses are exploited, it could result in attackers remotely executing malicious code on victim machines. The patches are available for IE 6 through 11.

+ Also on Network World: Microsoft fixes IE zero-day flaw | Microsoft calls out malicious downloaders +

The update likely will contain an out-of-band patch issued last week for a zero-day flaw as well as vulnerabilities unearthed during the hacking competition earlier this year at  CanSecWest, says Qualys CTO Wolfgang Kandek.

Microsoft included Windows XP in that out-of-band patch despite the fact that XP is officially unsupported by the company. That is not the case with the patches coming out next Tuesday, making this the first time a known flaw affecting XP is going unaddressed.

"Anyone still using XP just got a little less secure not that they were well off to begin with," says Ross Barrett, a senior manager of security engineering at Rapid7.

Users of other operating systems who also use IE should expect fixes routinely every Patch Tuesday, says Russ Ernst, the director of product management at Lumension. "The bad guys continue to wage war on what remains one of the most popular browsers so, for organizations that rely on it, IT needs to patch monthly, at a minimum," he says.

In addition to the IE bulleting, Microsoft is issuing critical patches for SharePoint 2007, 2010 and 2013 as well as Office Online.Six other bulletins are rated as important, meaning they require users to make an action such as clicking on a link in order to be exploited. They affect Office, most versions of Windows and the .NET framework. "May patch Tuesday, the second patching event of this May, is breaking with the recent trend of lighter than average months," says Barrett.

Bulletin 3 is a possible remote code execution that hits Office; bulletin 4 is for most versions of Windows. Windows and the .NET framework are covered off in bulletin 5 with an elevation of privilege issue. The sixth and seventh bulletins impact most versions of Windows with elevation of privilege and denial of service issues respectively. The last bulletin addresses a security feature bypass issue in Office.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftNetworkingsecurityRapid7infrastructure managementpatch managementsoftwareWide Area Networkqualysmanagement

More about LumensionMicrosoftQualysRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts