Microsoft is to issue a security update for a zero-day vulnerability in Internet Explorer 8 (IE8), just a week...
after issuing a security advisory on the subject.
The patch is to be included in the 10 bulletins to be issued on 21 May in Microsoft’s Patch Tuesday monthly security update.
According to the Advance Notification, five bulletins cover vulnerabilities that allow for remote code execution (RCE), which should be the focus of patching for businesses, said Wolfgang Kandek, CTO at security firm Qualys.
Bulletin 2 is for the recently announced IE8 zero-day and is rated “critical” for granting RCE.
“This should be top of your list if you are on IE8, which, according to our BrowserCheck statistics, still accounts for about 43% of users,” said Kandek.
Bulletin 1 is also for IE and affects all versions from 6 to 10 on all Windows operating systems (OS) from XP to 8, and including RT.
It includes the patches for the vulnerabilities discovered at the PWN2OWN competition at CanSecWest in March of this year.
The remaining RCE-type vulnerabilities are concentrated on Microsoft Office. The most widely installed is probably Bulletin 7, which is for Word 2003 and Word Viewer.
Bulletin 6 covers the Microsoft Publisher included in Office 2003, 2007 and 2010, and Bulletin 5 is for Microsoft’s instant messaging modules - Communicator 2007 and Lync 2010.
There are also three bulletins (3,4 and 10) for Windows itself, that address denial of service (DoS), spoofing and elevation of privilege vulnerabilities, all of them local and rated “important.”
Adobe is also scheduled to release security updates on 21 May which include a new version of Adobe Reader and a patch for a new zero-day vulnerability in ColdFusion.