Microsoft Patch Tuesday fills massive zero-day hole in Internet Explorer
Microsoft's web browser found to have 37 vulnerabilities
Internet Explorer (IE) users are being urged to patch up systems as soon as possible, after a fix was pushed out to address 37 vulnerabilities in the browser.
Patches have been made available for another five flaws affecting Microsoft Lync and the .NET Framework.
According to a Microsoft advisory, the "security update resolves one publicly disclosed and 36 privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer".
"An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."
The firm advises users to update as soon as possible.
Amol Sarwate, vulnerability labs director for Qualys, said this month's vulnerability fixes represented "a light patch cycle, but it could prove critical for IE users or those who run ASP.NET and IIS".
Trustwave threat intelligence manager, Karl Sigler, also said the patch cycle for IE was lighter than in previous months, "but it's likely that several of these CVEs have been already been exploited in the wild or will be weaponised soon".
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"To protect yourself from these threats, you will want to apply this update as soon as possible."
The other three security bulletins, rated important, fix denial of service problems in Windows and .NET, a Windows elevation of privilege flaw and a denial of service issue affecting Lync Server.
Tyler Reguly, manager of security research at security firm Tripwire, said that for the .NET flaw, "the only known attack vector is ASP.NET, so upgrading IIS server hosting ASP.NET websites should be the top priority when triaging systems to update. The specific denial of service, which could lead to resource exhaustion, is caused by a hash collision."
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.