Microsoft Patch Tuesday fills massive zero-day hole in Internet Explorer
Microsoft's web browser found to have 37 vulnerabilities
Internet Explorer (IE) users are being urged to patch up systems as soon as possible, after a fix was pushed out to address 37 vulnerabilities in the browser.
Patches have been made available for another five flaws affecting Microsoft Lync and the .NET Framework.
According to a Microsoft advisory, the "security update resolves one publicly disclosed and 36 privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer".
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."
The firm advises users to update as soon as possible.
Amol Sarwate, vulnerability labs director for Qualys, said this month's vulnerability fixes represented "a light patch cycle, but it could prove critical for IE users or those who run ASP.NET and IIS".
Trustwave threat intelligence manager, Karl Sigler, also said the patch cycle for IE was lighter than in previous months, "but it's likely that several of these CVEs have been already been exploited in the wild or will be weaponised soon".
"To protect yourself from these threats, you will want to apply this update as soon as possible."
The other three security bulletins, rated important, fix denial of service problems in Windows and .NET, a Windows elevation of privilege flaw and a denial of service issue affecting Lync Server.
Tyler Reguly, manager of security research at security firm Tripwire, said that for the .NET flaw, "the only known attack vector is ASP.NET, so upgrading IIS server hosting ASP.NET websites should be the top priority when triaging systems to update. The specific denial of service, which could lead to resource exhaustion, is caused by a hash collision."
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Evaluate your order-to-cash process
15 recommended metrics to benchmark your O2C operationsDownload now
AI 360: Hold, fold, or double down?
How AI can benefit your businessDownload now
Getting started with Azure Red Hat OpenShift
A developer’s guide to improving application building and deployment capabilitiesDownload now