Microsoft fixes 28 bugs, including zero-days, with Patch Tuesday release

Share this article:

With Microsoft's Patch Tuesday release today, researchers anticipated one zero-day fix, but it appears the update brought patches for two vulnerabilities being exploited in the wild.

The monthly security update, which also marked the 10th anniversary of Microsoft's Patch Tuesday releases, included eight patches: four deemed “critical” and four ranked “important.”  In total, the patches addressed 28 vulnerabilities in the company's products, including two zero-day flaws affecting Internet Explorer: CVE-2013-3893 and CVE-2013-3897.

Security bulletin MS13-080 fixed both remote code execution bugs in IE, along with eight other privately reported bugs.

On Tuesday, Marc Maiffret, CTO of security firm BeyondTrust, wrote in a blog post that fixes for IE this month should be employed immediately as attackers have already begun to leverage them in attacks.

“In addition to the publicly disclosed vulnerability [CVE-2013-3893], another vulnerability,CVE-2013-3897, has also been seen in targeted attacks in the wild exploiting Internet Explorer 8 browsers,” Maiffret wrote, later advising users to "roll out this patch as soon as possible.”

On Tuesday, Daniel Chechik, a researcher on Trustwave's security team SpiderLabs, revealed in a blog post that the privately reported zero-day, CVE-2013-3897 had been in the wild for the past month, and was being distributed via infected websites in campaigns that targeted Japanese and Korean users.

As for the publicly disclosed zero-day, CVE-2013-3893, Microsoft began warning users on Sept. 16 about the vulnerability when it released a temporary fix for the issue.

Not long after Microsoft's advisory, researchers at advanced malware detection firm FireEye discovered that attackers infected at least three Japanese media websites to compromise users. The bug was eventually picked up in other campaigns, widening the geographical impact of the threat, FireEye said.

Aside from the critical bulletin addressing the IE bugs, the Patch Tuesday release also included three critical bulletins for remote code execution flaws in Windows and Microsoft .NET Framework.

In addition, the release fixed vulnerabilities ranked "important" in SharePoint Server, Excel, Word and Silverlight.

According to Microsoft's security blog, the privately reported vulnerability in Silverlight could allow attackers to disclose users' data if exploited.

Microsoft Silverlight is a free web browser plug-in used to create interactive web and mobile applications. To carry out the Silverlight exploit, an attacker would need to convince a user to visit a compromised website.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Two Russian cybercriminals nabbed in Android malware scheme

Two men were arrested for stealing money from victims' bank accounts after sending malicious emails offering a romantic gift.

TorrentLocker developers patch error

Victims had been able to restore encrypted files without paying a ransom.

Home Depot: breach risks 56M payment cards, 'unique' malware used

Home Depot confirmed that approximately 56 million payment cards may have been compromised as result of a malware attack.