One of the critical flaws addressed allows IE10 to be exploited by attack code placed on compromised Web sites.
March 6, 2014 9:35 PM PST
Microsoft has marked two of the five security updates it plans to release next week as “critical,” including one that addresses a vulnerability in Internet Explorer that is currently being exploited in the wild.
One of the updates announced in a security bulletin Thursday will patch a flaw in IE10 that was discovered last month by security company FireEye being exploited by attack code found on the Veterans of Foreign Wars’ Web site. Security firm Websense reported finding similar code exploiting the same flaw on the compromised Web site of a French aerospace association, indicating there was evidence the exploits had been circulating since January 20.
Last month, Microsoft delivered a Fixi-It tool as a temporary fix for the IE flaw, which was rated as “critical,” Microsoft’s most severe classification.
The flaw also affects IE 9 but is not being exploited in that version.
The security update also addresses a Windows vulnerability also rated as critical that allows remote code execution in all Windows versions other than RT and Server Core. Two other Windows updates rated as important address a privilege elevation vulnerability and a security feature bypass, affect nearly all Windows versions.
A fifth update, also rated as important, patches a a security feature bypass flaw in Silverlight 5, the most recent version of its multimedia player plug-in used to deliver streaming content to Windows and Mac OS X computers.
The security updates address vulnerabilities on most supported versions of Windows, including Window XP, the 12-year-old operating system that Microsoft will stop supporting in April.
“Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore,” blogged Qualys CTO Wolfgang Kande. “Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of life date.”
“So you need a strategy for the XP machines remaining in your infrastructure,” Kande wrote. “We are still seeing a significant number of XP machines in our scans.”
The security updates are scheduled to be released on March at 10 a.m. PT.