Microsoft fixes 28 bugs, including zero-days, with Patch Tuesday release

Share this article:

With Microsoft's Patch Tuesday release today, researchers anticipated one zero-day fix, but it appears the update brought patches for two vulnerabilities being exploited in the wild.

The monthly security update, which also marked the 10th anniversary of Microsoft's Patch Tuesday releases, included eight patches: four deemed “critical” and four ranked “important.”  In total, the patches addressed 28 vulnerabilities in the company's products, including two zero-day flaws affecting Internet Explorer: CVE-2013-3893 and CVE-2013-3897.

Security bulletin MS13-080 fixed both remote code execution bugs in IE, along with eight other privately reported bugs.

On Tuesday, Marc Maiffret, CTO of security firm BeyondTrust, wrote in a blog post that fixes for IE this month should be employed immediately as attackers have already begun to leverage them in attacks.

“In addition to the publicly disclosed vulnerability [CVE-2013-3893], another vulnerability,CVE-2013-3897, has also been seen in targeted attacks in the wild exploiting Internet Explorer 8 browsers,” Maiffret wrote, later advising users to "roll out this patch as soon as possible.”

On Tuesday, Daniel Chechik, a researcher on Trustwave's security team SpiderLabs, revealed in a blog post that the privately reported zero-day, CVE-2013-3897 had been in the wild for the past month, and was being distributed via infected websites in campaigns that targeted Japanese and Korean users.

As for the publicly disclosed zero-day, CVE-2013-3893, Microsoft began warning users on Sept. 16 about the vulnerability when it released a temporary fix for the issue.

Not long after Microsoft's advisory, researchers at advanced malware detection firm FireEye discovered that attackers infected at least three Japanese media websites to compromise users. The bug was eventually picked up in other campaigns, widening the geographical impact of the threat, FireEye said.

Aside from the critical bulletin addressing the IE bugs, the Patch Tuesday release also included three critical bulletins for remote code execution flaws in Windows and Microsoft .NET Framework.

In addition, the release fixed vulnerabilities ranked "important" in SharePoint Server, Excel, Word and Silverlight.

According to Microsoft's security blog, the privately reported vulnerability in Silverlight could allow attackers to disclose users' data if exploited.

Microsoft Silverlight is a free web browser plug-in used to create interactive web and mobile applications. To carry out the Silverlight exploit, an attacker would need to convince a user to visit a compromised website.

Share this article:

Sign up to our newsletters

More in News

Community Health Systems faces lawsuit related to data breach

The suit claims the hospital operator failed to meet security standards to protect the personal information belonging to patients.

Norwegian oil companies targeted in string of attacks

More than 300 companies are being warned to check their systems after at least 50 oil companies confirmed that their systems were attacked.

Possible payment card breach at Dairy Queen stores

Several financial institutions are reporting payment card fraud activity on credit and debit cards used at various Dairy Queen stores around the country, according to Brian Krebs.