Microsoft to patch critical Windows, IE bugs next week

One of the critical flaws addressed allows IE 10 to be exploited by attack code placed on compromised Web sites.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

March 6, 2014 1:05 a.m. PT

2 min read

Microsoft has marked two of the five security updates it plans to release next week as "critical," including one that addresses a vulnerability in Internet Explorer that is currently being exploited in the wild.

One of the updates announced in a security bulletin Thursday will patch a flaw in IE 10 -- discovered last month by security company FireEye -- being exploited by attack code found on the Veterans of Foreign Wars' Web site. Security firm Websense reported finding similar code exploiting the same flaw on the compromised Web site of a French aerospace association, indicating there was evidence the exploits had been circulating since January 20.

Last month, Microsoft delivered a Fixi-It tool as a temporary fix for the IE flaw, which was rated as "critical," Microsoft's most severe classification. The flaw also affects IE 9 but is not being exploited in that version.

The security update also addresses a Windows vulnerability rated as critical that allows remote code execution in all Windows versions other than RT and Server Core. Two other Windows updates rated as important address a privilege elevation vulnerability and a security feature bypass, affect nearly all Windows versions.

A fifth update, also rated as important, patches a a security feature bypass flaw in Silverlight 5, the most recent version of its multimedia player plug-in used to deliver streaming content to Windows and Mac OS X computers.

The security updates address vulnerabilities on most supported versions of Windows, including Window XP, the 12-year-old operating system that Microsoft will stop supporting in April.

"Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore," blogged Qualys CTO Wolfgang Kande. "Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of life date."

"So you need a strategy for the XP machines remaining in your infrastructure," Kande wrote. "We are still seeing a significant number of XP machines in our scans."

The security updates are scheduled to be released on March 11.