Microsoft is out this week with its May Patch Tuesday update, which includes 10 bulletins fixing 33 vulnerabilities across Microsoft products. Included among those fixes are two critical patches for two-month-old vulnerabilities in IE disclosed at Pwn2own, as well as a patch for a zero-day vulnerability just disclosed last week.
The MS13-038 bulletin details a critical zero-day flaw that was used in an attack against the U.S. Department of Labor. Microsoft first admitted the flaw on May 3 and has been scrambling ever since to get the issue fixed.
“Our engineers worked around the clock to prepare and test MS13-038, which will help keep customers safe by permanently addressing the Internet Explorer 8 issue,” Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing, said in a statement.
The flaw as detailed in Microsoft’s bulletin is a use-after-free memory error.
“A remote code execution vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated,” Microsoft warns. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.”