- V3 Apps
Users and administrators are being advised to update their systems following the release of Microsoft's monthly security update.
The May edition of Patch Tuesday includes critical fixes for a zero-day vulnerability in Internet Explorer (IE) along with one other patch rated by the company as a critical security risk. If exploited, the flaws could allow an attacker to remotely execute code on a targeted system.
Microsoft has listed the critical patches as a top deployment priority, a sentiment shared by security experts following the release.
Marc Maiffret, chief technology officer for BeyondTrust, told V3 that the scope of the flaws, which impacted every current supported version of both IE and Windows, along with the zero-day status, make the deployments an important fix for all users.
Maiffret noted that while an alternative browser such as Chrome or Firefox could mitigate some of the risk, users should still keep their systems patched in case IE is still set as the default application for some files and applications.
"We have a lot of customers that do run Chrome," he said, "the thing you want to make sure of is that you don't just have Chrome installed alongside but make sure it is the default browser, and not just the browser on the desktop."
Other security issues addressed in the update include eight bulletins rated by Microsoft as 'important' security risks. The flaws include remote code execution as well as a denial of service and another elevation of privilege flaw which could prove to be bigger issues for some customers.
Maiffret said that for administrators of Windows Server 2012 systems, a flaw in the HTTP.sys component could be targeted to perform denial of service attacks, possibly crippling a system and preventing user access for the duration of the attack. The fix has been classified as a top deployment priority for Server 2012.
Similarly, a flaw in Windows XP could be exploited in conjunction with other attacks. Maiffret, who does not recommend running the dated platform in a business setting due to security concerns, explained that an attacker could potentially target one of the Internet Explorer flaws to access a system with local user clearance and then target the elevation privilege flaw to gain total control over the system and potentially wreak further havoc.