Microsoft Security Update

Microsoft Releases Two Critical Patches; Promises Update for IE Watering Hole Zero Day

It’s Microsoft Patch Tuesday, and while there were two critical security updates released today, the concern among IT managers is likely over the patch that isn’t there. Microsoft’s monthly security bulletins do not address a zero-day vulnerability in Internet Explorer that has been actively exploited in a series of watering hole attacks reported around Christmas that have been ongoing for a month.

A rare critical Microsoft Word vulnerability was patched today by Microsoft, one of seven security updates pushed out repairing 11 flaws in its December security update.The Word vulnerability earned a critical rating because the Outlook email client uses Word to display documents in the Outlook preview pane and therefore removes the need for user interaction to trigger an exploit.

Microsoft released its monthly security updates today and put special urgency on a cumulative security update for Internet Explorer 9. Critical vulnerabilities were found in the way the browser handles objects in memory which could lead to an attacker remotely executing code. Victims would have to land on a website hosting an exploit, Microsoft said. The company said there are no public exploits for this vulnerability.

Microsoft issued a security advisory Monday night and recommended several workarounds to mitigate a zero-day vulnerability in Internet Explorer reported over the weekend that is being exploited in the wild. Microsoft said it is still investigating the vulnerability, and may issue an out-of-band security update to patch the problem, or wait until the next Patch Tuesday update Oct. 9.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.