Among the critical bulletins in the Patch Tuesday update this month is the MS12-07 cumulative security update for Internet Explorer. That update fixes 13 vulnerabilities, including one first reported to Microsoft in March by security research firm VUPEN, at the Pwn2Own hacking challenge.
Why did it take Microsoft three months to fix the VUPEN flaw? Jason Miller, Manager of Research and Development at VMware, told InternetNews that he believes Microsoft spent extra time on ensuring the fix worked without breaking any functionality in Internet Explorer. Microsoft also had the luxury of time on the VUPEN flaw, owing to the confidential nature of the disclosure.
“The vulnerability was privately disclosed, so this gave Microsoft more time to work on the fix for it,” Miller said. “If the vulnerability had been disclosed to the public, I am sure Microsoft would have accelerated the release cycle for the vulnerability.”
Even with the seven security bulletins in the June Patch Tuesday update, there is still an additional security issue that Windows users need to remediate.
The recent discovery of the Flame malware was accompanied by disclosure from Microsoft that bad certificates signed by Microsoft might have enabled the outbreak. To help mitigate the risks of other potentially bad certificates, Microsoft is now issuing an updater for Windows Vista and Windows 7 to remove untrusted certificates.