Microsoft Plans Internet Explorer Fixes for Patch Tuesday

Microsoft will close serious vulnerabilities in all versions of Internet Explorer as part of this month's Patch Tuesday update.

The remote code execution flaw affects Internet Explorer versions 6, 7, 8, 9, and 10 running on all Windows operating systems except XP, Microsoft said in its pre-Patch Tuesday notification advisory. Attackers are actively exploiting this flaw in the wild, Microsoft said.

"We always recommend upgrading to the latest version of any software, as that’s typically the most secure. If your system is compatible with IE 10 and you’re not running it already, upgrade now," said Paul Henry, a security and forensic analyst at Lumension.

On Wednesday, Microsoft released a hotfix as a temporary fix for the zero-day vulnerability in Internet Explorer 8 used in the watering hole attack found on the Department of Labor Website. Organizations and home users running Internet Explorer 8 should apply the "fix it" workaround until the proper patch is available, Ross Barrett, senior manager of security engineering at Rapid7, told SecurityWatch. 

If Microsoft releases the full patch this week, that update "should be the top patching priority," Barrett said. If the full patch is not included, Microsoft will likely release it as an out-of-band patch later this month, Barrett said.

Security experts believe this month's Patch Tuesday release would also include a fix for the bug disclosed during the Pwn2Own competition last March.

Microsoft is expected to release 10 bulletins, of which two will be rated "critical" and the remaining as "important." Both critical bulletins are for Internet Explorer. The remaining patches will address issues in remote code execution bugs in various Office products and Lync (formerly Communicator), as well as spoofing and elevation of privilege vulnerabilities in all versions of Windows, from Windows XP to Windows RT and Windows 8. One bulletin will close a denial-of-service vulnerability in the newer versions of the OS.