News

May 2013 Patch Tuesday fixes IE8 zero day; Adobe tightens ColdFusion

Robert Richardson, Editorial Director

The May 2013 Patch Tuesday security updates from Microsoft, released Tuesday, featured a permanent patch for last week's IE8 zero-day

    Requires Free Membership to View

flaw, along with fixes for several other IE vulnerabilities, a potential denial-of-service attack on Windows' IIS, and several other remotely exploitable flaws in various products.

The Internet Explorer 8 (IE8) zero day was found to have been used in watering hole attacks aimed at the U.S. Department of Labor's Site Exposure Matrices website. It was used to redirect visitors to a website that included a downloadable exploit that installed the Poison Ivy remote administration toolkit.

Ross Barrett, senior manager of security engineering at Boston-based vulnerability management vendor Rapid7 LLC, said the IE8 bug "is being actively exploited in the wild and has an exploit module available from Metasploit. This should be the top patching priority for anyone or any organization using Internet Explorer 8."

"Kudos to Microsoft for turning it around in such a short timeframe," said Wolfgang Kandek, chief technology officer of Redwood City, Calif.-based risk management vendor Qualys Inc. He noted that the Patch Tuesday updates also include "the expected update to Internet Explorer that addresses the two vulnerabilities used by researchers at VUPEN to exploit IE10 during the Pwn2Own competition at CanSecWest in Vancouver in March. The exploit is rated a '1' on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website."

In all, Microsoft's May 2013 Patch Tuesday is comprised of 10 bulletins, addressing 33 vulnerabilities. Microsoft noted in its description of the update that there has been a change in "how we're communicating technical details within our security advisories. Starting today, customers will be able to clearly identify key security updates within advisories." The specific bulletins for this release can be found on Microsoft's Security TechCenter site.

Separately, in its own Patch Tuesday update, Adobe offered security updates for 13 critical flaws in its Flash Player, updates for Acrobat Reader, as well as updates for Adobe Air and a hotfix for several recent versions of ColdFusion that addresses vulnerabilities that allow remote execution and remote file access on ColdFusion servers.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: