Prompted by the disclosure of a zero-day vulnerability in Internet Explorer 8 more than six months after it was reported, Microsoft next Tuesday will finally issue a patch.
HP’s Zero Day Initiative (ZDI) released on May 21 some detail on a previously unreported use-after-free bug in IE 8. No public exploits were reported and while Microsoft acknowledged receipt of the vulnerability report from ZDI, it had not produced a patch prior to ZDI’s disclosure per its guidelines.
The vulnerability affects only IE 8, which lacks some of the exploit mitigations in later versions of the browser. Microsoft said in May that it was aware of the issue.
“Some fixes are more complex than others, and we must test every one against a huge number of programs, applications and different configurations,” a Microsoft spokesperson said. “We continue to encourage customers to upgrade to a modern operating system, such as Windows 7 or 8.1, and run the latest version of Internet Explorer which include further protections.”
The IE patch is one of two bulletins Microsoft has rated critical for next week’s Patch Tuesday security updates. There will be seven bulletins in all, five rated important by the company. The IE patch will likely be a cumulative rollup as it affects the browser all the way back to IE 6 on Windows Server 2003.
The second critical bulletin is also a remote code execution vulnerability, this one in Microsoft Office and Microsoft Lync, the company’s messaging and video conferencing application. The vulnerability is rated critical for Lync 2013 and 2010, as well as Live Meeting 2007 Console; it is rated important for Microsoft Office 2010 and Office 2007.
“Given that the second bulletin will affect Lync Server and the older Live Meeting Console this may be a truly remotely exploitable vulnerability,” said Ross Barrett, senior manager of security engineering at Rapid7.
Windows Server 2003, it should be noted, has nearly entered its last year of support; it’s scheduled to go end-of-life in July 2015.
“We are coming up on just a year out now and because any changes to your server will likely be a significant amount of work, it isn’t too soon to get started on that plan,” said Russ Ernst, director, product management, Lumension.
The remaining bulletins, all rated important, include a remote code execution bug in Office, separate information disclosure vulnerabilities in Windows and Lync Server, a denial-of-service vulnerability in Windows, and a tampering vulnerability in Windows.
“The tampering label on the seventh bulletin may suggest it allows a message to be altered in transit,” Barrett said. “Probably a limited scenario for exploitation.”