June's Microsoft Patch Tuesday contains seven bulletins, including two rated “Critical” and five rated “Important”. One of the two “Critical” bulletins is for Internet Explorer and contains patches for a massive fifty-nine CVEs, almost all of which are marked with a critical severity. This includes a patch for the “CMarkup Use-After-Free RCE Vulnerability” in Internet Explorer 8 (CVE-2014-1770). TippingPoint Zero Day Initiative released this advisory on May 21 without a patch from Microsoft. It’s very rare for a security vendor to release any advisory when no patch is available. TippingPoint publicly disclosed the advisory after Microsoft missed a 180-day deadline set by TippingPoint.
Approximately a quarter of Internet Explorer installations are still on version 8. This is likely due to the fact that it is the most current version available for the retired Windows XP platform. With a majority of IE 8 users still running Windows XP, this means that neither an IE upgrade nor a patch will be available to most users.