When the vulnerability was made public last month, malicious hackers quickly put it to use. An exploit based on the vulnerability was added to the popular penetration testing framework Metasploit, where it could be used on its own, or as one in a chain of vulnerabilities designed to gain illicit access to computers. Most of the attacks targeted versions 8 and 9 of IE, though all currently supported versions of the browser could be affected.
The IE vulnerability might have been severe enough to warrant Microsoft issuing an out-of-band patch before this month's Patch Tuesday. Instead, the company issued instructions on how to temporarily fix the problem and scheduled the correction for this month's Patch Tuesday. The move was a wise one, Kandek said. "Every time you go out of band, it makes the work of the IT administrators harder, because they have to react to it and push out patches that they were not prepared for," he said.
Although Microsoft deemed the Office patches only as "important," Kandek advised administrators to apply these as soon as possible as well. Computers with either Microsoft Excel or Microsoft Word could be compromised by a maliciously crafted file that harnesses these vulnerabilities to gain control of the user's computer.
"You need to open a file in order to be infected," Kandek said. Qualys sees these vulnerabilities as critical because "opening a Word file or an Excel file is not much of an obstacle," Kandek said
These exploits could also prove to be dangerous in that Office tends not to be patched by administrators or users with the same frequency as IE, Kandek said.
In addition to issuing the patches this Tuesday, Microsoft also awarded a $100,000 bounty to security researcher James Forshaw for developing a mitigation bypass technique to compromise Microsoft Windows computers by exploiting a series of bugs. Microsoft can use this technique to better understand, and defend against, entire classes of attacks, the company stated.
Adobe also issued critical patches on Tuesday for Adobe Reader and Adobe Acrobat. Kandek recommends patching this software as soon as possible as well.