IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft Patch Tuesday fills massive zero-day hole in Internet Explorer

Microsoft's web browser found to have 37 vulnerabilities

Security flaw

Internet Explorer (IE) users are being urged to patch up systems as soon as possible, after a fix was pushed out to address 37 vulnerabilities in the browser.

Patches have been made available for another five flaws affecting Microsoft Lync and the .NET Framework.

According to a Microsoft advisory, the "security update resolves one publicly disclosed and 36 privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer".

"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."

The firm advises users to update as soon as possible.

Amol Sarwate, vulnerability labs director for Qualys, said this month's vulnerability fixes represented "a light patch cycle, but it could prove critical for IE users or those who run ASP.NET and IIS".

Trustwave threat intelligence manager, Karl Sigler, also said the patch cycle for IE was lighter than in previous months, "but it's likely that several of these CVEs have been already been exploited in the wild or will be weaponised soon".

"To protect yourself from these threats, you will want to apply this update as soon as possible."

The other three security bulletins, rated important, fix denial of service problems in Windows and .NET, a Windows elevation of privilege flaw and a denial of service issue affecting Lync Server.

Tyler Reguly, manager of security research at security firm Tripwire, said that for the .NET flaw, "the only known attack vector is ASP.NET, so upgrading IIS server hosting ASP.NET websites should be the top priority when triaging systems to update. The specific denial of service, which could lead to resource exhaustion, is caused by a hash collision."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022
Microsoft warns of new botnet variant targeting Windows and Linux systems
Security

Microsoft warns of new botnet variant targeting Windows and Linux systems

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022