Microsoft’s September “Patch Tuesday” security updates this week included 37 security patches for Internet Explorer, including a critical zero day defect. The term zero day refers to the fact that until now the defect was unidentified.
The bug can be exploited to identify path names, file names and Internet Protocol addresses. According to Microsoft, the vulnerability has been used to identify Windows computers that do not have antivirus protection installed, leaving them vulnerable to further compromise.
Such information can be particularly damaging for enterprise computers, given that they are all likely to have similar file structures: Understanding the file structure of one machine will give malware writers a good idea of how the others are structured.
Microsoft also released updates to address vulnerabilities in Windows, .NET Framework, and Lync Server. Some of these vulnerabilities could allow remote code execution, elevation of privilege, or denial of service.