Microsoft is fixing at least 19 vulnerabilities in the cumulative MS13-047 update, though it is missing at least one other public IE vulnerability.
“Microsoft is not fixing a recent vulnerability that Tavis Ormandy had alluded to in March and has recently (June 3) published an exploit for on the full-disclosure mailing list,” Wolfgang Kandek, CTO of Qualys said. “The zero-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. “
Kandek expects that Ormandy’s flaw will be addressed next Patch Tuesday unless wider exploitation in the wild is detected. Microsoft has been hit with multiple zero-day flaws targeting IE in 2013. Prior to Ormandy’s disclosure, the most recent 0-Day flaw was rapidly patched as part of the May Patch Tuesday update.