Microsoft Patch Tuesday fills massive zero-day hole in Internet Explorer

Microsoft's web browser found to have 37 vulnerabilities

Security flaw

Internet Explorer (IE) users are being urged to patch up systems as soon as possible, after a fix was pushed out to address 37 vulnerabilities in the browser.

Patches have been made available for another five flaws affecting Microsoft Lync and the .NET Framework.

According to a Microsoft advisory, the "security update resolves one publicly disclosed and 36 privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer".

"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."

The firm advises users to update as soon as possible.

Amol Sarwate, vulnerability labs director for Qualys, said this month's vulnerability fixes represented "a light patch cycle, but it could prove critical for IE users or those who run ASP.NET and IIS".

Trustwave threat intelligence manager, Karl Sigler, also said the patch cycle for IE was lighter than in previous months, "but it's likely that several of these CVEs have been already been exploited in the wild or will be weaponised soon".

"To protect yourself from these threats, you will want to apply this update as soon as possible."

The other three security bulletins, rated important, fix denial of service problems in Windows and .NET, a Windows elevation of privilege flaw and a denial of service issue affecting Lync Server.

Tyler Reguly, manager of security research at security firm Tripwire, said that for the .NET flaw, "the only known attack vector is ASP.NET, so upgrading IIS server hosting ASP.NET websites should be the top priority when triaging systems to update. The specific denial of service, which could lead to resource exhaustion, is caused by a hash collision."

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Microsoft’s new vision-language model outranks humans at image captioning
Microsoft Azure

Microsoft’s new vision-language model outranks humans at image captioning

25 Jan 2021
SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

22 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021