14 DAY TRIAL // Microsoft has recently announced that this month’s Patch Tuesday rollout would bring a total of five security bulletins developed to fix flaws in Windows, Internet Explorer, and Silverlight.
Two of the bulletins are rated as “critical,” Microsoft explained, while the other three are said to be “important.”
MS14-012, the company added, will be updated to address an Internet Explorer flaw discovered in February and unpatched until now, which means that users would be strongly recommended to deploy the fixes on Tuesday as soon as they become available.
Microsoft has confirmed that it’s indeed aware of attacks supposed to exploit this vulnerability, but only limited attempts have been registered till now. The company has already released a Fix it solution for this flaw, but this is the first full-time patch addressing it.
“The update provided in MS14-012 fully addresses the issue first described in Security Advisory 2934088. While we have seen a limited number of attacks using this issue, they have only targeted Internet Explorer 10. Customers using other versions of Internet Explorer have not been impacted,” Microsoft pointed out.
The zero-day vulnerability discovered in mid-February was said to be used for a number of attacks across the world, including for attempts aimed at members of the US military.
Security company FireEye was the first to report the vulnerability, saying that the website of the US Veterans of Foreign Wars has been compromised with the help of this zero-day flaw in Internet Explorer to load another webpage in the background and comprising malicious Flash objects.
“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft pointed out in February, while also recommending users to deploy the Fix it solution and avoid loading websites that look suspicious.
At that time, Microsoft said that Internet Explorer 9 was also affected, but it turns out that IE10 is the only vulnerable build of the browser.
As usual, all patches will be delivered via Windows Update, which means that no user interaction would be required. Windows fixes will also be available as part of the security release ISO image rolled out each month and aimed at sys admins that want to deploy the patches on computers without Internet access.