The May 2013 Patch Tuesday security updates from Microsoft, released Tuesday, featured a permanent patch for last week's IE8 zero-day flaw, along with fixes for several other IE vulnerabilities, a potential denial-of-service attack on Windows' IIS, and several other remotely exploitable flaws in various products.
The Internet Explorer 8 (IE8) zero day was found to have been used in watering hole attacks aimed at the U.S. Department of Labor's Site Exposure Matrices website. It was used to redirect visitors to a website that included a downloadable exploit that installed the Poison Ivy remote administration toolkit.
Ross Barrett, senior manager of security engineering at Boston-based vulnerability management vendor Rapid7 LLC, said the IE8 bug "is being actively exploited in the wild and has an exploit module available from Metasploit. This should be the top patching priority for anyone or any organization using Internet Explorer 8."
"Kudos to Microsoft for turning it around in such a short timeframe," said Wolfgang Kandek, chief technology officer of Redwood City, Calif.-based risk management vendor Qualys Inc. He noted that the Patch Tuesday updates also include "the expected update to Internet Explorer that addresses the two vulnerabilities used by researchers at VUPEN to exploit IE10 during the Pwn2Own competition at CanSecWest in Vancouver in March. The exploit is rated a '1' on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website."
In all, Microsoft's May 2013 Patch Tuesday is comprised of 10 bulletins, addressing 33 vulnerabilities. Microsoft noted in its description of the update that there has been a change in "how we're communicating technical details within our security advisories. Starting today, customers will be able to clearly identify key security updates within advisories." The specific bulletins for this release can be found on Microsoft's Security TechCenter site.
Separately, in its own Patch Tuesday update, Adobe offered security updates for 13 critical flaws in its Flash Player, updates for Acrobat Reader, as well as updates for Adobe Air and a hotfix for several recent versions of ColdFusion that addresses vulnerabilities that allow remote execution and remote file access on ColdFusion servers.