IT administrators and the likes are expected to have a long day today, as Microsoft releases its security bulletin for May that resolves 33 vulnerabilities. Though this is not Microsoft’s biggest release (April 2011’s 17 bulletins 64 vulnerabilities come to mind), it is crucial for users to apply these security updates, which include a resolution to the zero-day incident involving the US Department of Labor webpage.
This roster of updates include two Critical bulletins addressing Internet Explorer (IE). The first one resolves around a vulnerability found on IE versions 6 to 10 on all Windows OSs, from Windows XP to Windows 8. It also addresses the vulnerability in IE 10 uncovered during the Pwn2Own contest last March.
The other critical IE bulletin deals with a vulnerability limited to IE 8, which made the headlines recently because of a related zero-day exploit found in a US Department of Labor webpage. Based on our own investigation, users visiting this compromised site are lead to a series of redirections until their systems are infected with a BKDR_POISON variant.
Even before this month’s release, Trend Micro Deep Security has been protecting users from this vulnerability via rule 1005491 – Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-1347).
The rest of the bulletins were tagged as Important, which includes a security flaw in Windows that may lead to a denial of service (DoS) attack.
Just like last month, Adobe also released their security bulletins today, which include fixes for Adobe Reader and Acrobat, Flash Player. The software vendor also issued a “security hotfix” for a ColdFusion vulnerability, which is reportedly being exploited in the wild.
Users are advised to implement these bulletins as soon as possible to avoid exploits similar to the US DoL incident. For more details about how Trend Micro can protect users, you may refer to this Threat Encyclopedia page.
We’re trying to make the Security Intelligence Blog better. Please take this survey to tell us how.