InfoSec – Microsoft Announces Special Patch for IE 0-day (Win XP included!)

Microsoft will release a special update later today (10am PT, 1pm ET, 7pm UTC) fixing the Internet Explorer vulnerability which has been used in targeted attacks recently. The vulnerability was announced late last week and affects Internet Explorer 6 and later on Windows versions back to Windows XP. The patch will be published as MS14-021 in line with the May update which is still expected for Tuesday, May 13th.

We do rate this bulletin as "PATCH NOW!" for clients. Even though many organizations started to move away from Internet Explorer as a primary browser, it may still launch in some cases and unless you are using a non-Microsoft operating system you are likely vulnerable. Even servers should apply this patch, but it is less likely that the vulnerability is exposed on a server. Microsoft downplays the risk of the vulnerability for servers by labeling it as "Moderate" due to the crippled default configuration of Internet Explorer on servers.

The patch pre-announcement does specifically list Widnows XP SP3 as vulnerable, indicating that the patch may cover Windows XP SP 3 even though no more patches were expected for Windows XP.

Overview of the May 2014 Microsoft patches and their status.

# Affected Contra Indications – KB Known Exploits Microsoft rating(**) ISC rating(*)

clients servers

MS14-021 Vulnerabilities in Internet Explorer

Microsoft Internet Explorer

CVE-2014-1776 KB 2963983 Used in targeted exploits. Severity:Critical

Exploitability: 1 PATCH NOW! Critical

via InfoSec Handlers Diary Blog – Microsoft Announces Special Patch for IE 0-day (Win XP included!).


No Comments so far.

Leave a Reply