Microsoft Patches Critical IE Vulnerabilities and Actively Exploited Office Flaw
A new batch of security updates released by Microsoft on Tuesday address a total of 23 vulnerabilities in Internet Explorer, Windows and Microsoft Office, including one that is actively exploited by attackers. The handling of digital certificates in Windows was also improved.
Only the security bulletin for Internet Explorer, identified as MS13-047, is rated critical. This bulletin addresses 19 privately reported vulnerabilities that affect all Internet Explorer versions, from IE 6 to 10, and could allow remote attackers to execute code on computers with the privileges of the active user.
In order to exploit one of these vulnerabilities attackers need to set up a maliciously crafted Web page and trick users into visiting it. However, on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, Internet Explorer runs in a restricted mode called Enhanced Security Configuration that mitigates the vulnerability.
These Internet Explorer vulnerabilities might be a target for attackers who could try to reverse engineer the patches and build reliable exploits, said Wolfgang Kandek, the chief technology officer at security vendor Qualys.
More: Microsoft Patches Critical IE Vulnerabilities and Actively Exploited Office Flaw