Microsoft on Tuesday patched a dangerous zero-day vulnerability affecting Internet Explorer 8, one of 10 fixes that the software giant released as part of its monthly security update.
The IE 8 hole, which has been actively exploited in attacks against the U.S. government workers, temporarily was plugged last week when Microsoft distributed a Fix-It workaround. The permanent patch, addressed by MS13-038, prevents victims from being hit with an exploit if they visit a web page that has been compromised to serve malware.
The other "critical" patch introduced Tuesday by Microsoft is bulletin MS13-037, which addresses 11 additional vulnerabilities in IE. None of the bugs were publicly known, but they are present in all supported versions of the popular web browser.
Microsoft also tapped MS13-039 as high-priority bulletin. It addresses a single vulnerability in the HTTP protocol stack, known as HTTP.sys, a core Windows component that receives and processes HTTP requests. According to the bulletin, "the vulnerability could allow denial-of-service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client."
The remaining seven patches address flaws in the .NET Framework, Lync, Publisher, Word, Visio, Windows Essentials and kernel-mode drivers.