• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Microsoft Black Tuesday: Fix for IE8 Zero Day and More

May 14, 2013 By Corey Nachreiner

Calling all Microsoft administrators. It’s time to spin up your virtual test machines and download, test, and deploy May’s batch of Microsoft security updates. This month’s theme is IE updates; with a focus on a recent IE zero day vulnerability, as well as a continuation of the “use after free” vulnerability theme I commented on last month.

According to their summary post, Microsoft released ten security bulletins today, fixing around 33 security vulnerabilities in many of their popular products. The affected software includes Internet Explorer (IE), Windows and related components, products from the Office suite (Word, Visio, and Publisher), Lync, and Windows Essentials. Microsoft rates the IE updates as Critical, and the rest as Important.

As I mentioned earlier, today’s theme definitely centers around IE. Last week’s security video covered how attackers have recently been exploiting a zero day IE8 vulnerability in the wild—most notably against the Department of Labor web site. One of today’s updates completely fixes this serious flaw. The other IE update continues to fix more “use after free” vulnerabilities, a class of memory corruption flaws that researchers and attackers have focused on lately. I highly recommend you install today’s IE updates immediately, then follow with the Windows and Office updates.

As an aside, Microsoft also released or updated four security advisories today. One of the updates has to do with one of today’s bulletins, but the other three are new. Once you’re finished handling today’s patches, you should check out Microsoft’s security advisory page as well.

We’ll share more details about today’s bulletins in upcoming alerts. Until then, feel free to check out Microsoft’s May bulletin summary.  — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Uncategorized Tagged With: Department of Labor, DoL, IE8, Internet Explorer, Lync, Microsoft, MS Patch Day, Updates and patches, use after free, Windows Essentials, Zero day exploit

Comments

  1. James says

    May 14, 2013 at 12:36 pm

    At least Microsoft fixes issues… Would be nice if you did a post on how WatchGuard is unwilling to fix SpamBlocker which has been completely worthless since the release of 11.7.1.

    Please see: http://www.watchguard.com/forum/?boardID=FirewareXTMBoard&action=9&read=47977&fid=656

    Reply
    • Corey Nachreiner says

      May 14, 2013 at 12:43 pm

      James,

      Thanks for your comment. The latest, as I understand it, is that we have released 11.7.2 Update 1. This update has a newer SDK, and other changes, and word from the field is the spam efficacy is good again.

      Though we certainly heard issues from the field with the initial release, the latest update has generated mostly positive response.

      Reply
  2. James says

    May 14, 2013 at 2:23 pm

    Thanks for the reply, but if you check the board I listed you will see from the actual experiences of Administrators that the update is not working and that the new spam provider, Mailshell is totally inferior to Comtouch (used on 11.7 and prior). I can personally attest to a 50% increase allowed spam while running 11.7.2 Update1. After one day I was forced to revert back to 11.7. Simply put we all feel betrayed by Watchguard. SpamBlocker was a great product, but is now worthless.

    I wish someone there would actually be honest and admit that WatchGuard totally dropped the ball.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use