Microsoft closes 33 security holes in May
Like Adobe, Microsoft has provided extensive patches on its patch day for May. On Tuesday night, the company issued ten patch bulletins to close a total of 33 security holes. Two of the bulletins fix critical holes, all of them in Internet Explorer. Patches have also been released for all versions of Windows, for Office, and for Windows Essentials.
Particularly noteworthy is bulletin MS13-038, which fixes a critical hole in Internet Explorer 8 that is already being exploited for attacks. The hole is contained in the CGenericElement object and is caused by a "use-after-free" bug, an issue that allows exploitable access to a previously deallocated memory area. The other bulletin for Internet Explorer affects all currently supported versions (6 to 10) of the browser. The patch collection closes a range of critical holes, also caused by use-after-free issues, that allow malicious code to be injected.
Microsoft rates the remaining bulletins as important. MS13-046 fixes privilege elevation holes in all Windows kernels. MS13-039 only affects Windows 8 and Server 2012: in these components, attackers can use specially crafted HTTP headers to confound the HTTP.sys kernel driver and cause client and server failures that could be exploited for denial of service attacks.
Three bulletins fix issues in Microsoft Office components: patches have been released for Publisher 2003 to 2010, Word 2003 and Word Viewer, and Visio 2003 to 2010. Microsoft has also released patches to close holes in .NET Framework 2.0 to 4.5, as well as the Communicator 2007 R2 conferencing software and Lync 2010 to 2013. Finally, Microsoft's May Patch Tuesday also includes security updates for the Windows Essentials 2011 and 2012 tool collections.