Patch Tuesday provides one zero-day fix, while patch for another still looms

Share this article:

Microsoft's monthly security update addresses a freshly discovered zero-day vulnerability that was actively compromising users via drive-by download attacks.

The Patch Tuesday release was dispatched today for users, and included eight bulletins that rectify 19 unique vulnerabilities in Windows, Internet Explorer and Office.

Prior to the update, organizations awaited fixes for two zero-day flaws: a remote code execution bug disclosed by FireEye last Friday, (CVE-2013-3918), which was addressed; and another zero-day, made public last Tuesday, that has yet to receive a permanent fix.

The unpatched zero-day (CVE-2013-3906) is also a remote code execution flaw that exists in the way affected components handle specially crafted TIFF images, according to Microsoft advisory released last week. An attacker could exploit the bug by getting users to preview or open specially crafted email messages, files or web pages.

So far, Microsoft has released a “Fix It,” or temporary workaround, to help thwart exploitation of the bug, which affects Office 2003, 2007 and 2010 and versions of Windows Operating System and Microsoft Lync.

As for other major fixes that made the Patch Tuesday list this month, bulletins MS13-088, MS13-089, and MS13-090 fixed critical remote code execution bugs in Windows and IE, including the ActiveX zero-day disclosed by FireEye.

According to the security firm, which specializes in advanced cyber threats, the zero-day exploit was hosted on a U.S.-based site, compromising visitors via a method dubbed “watering hole attacks” by researchers.

In addition, the five remaining bulletins in the update addressed bugs ranked “important” in Office and Windows, which could lead to remote code execution (RCE), elevation of privilege for an attacker, denial of service attacks and information disclosure.

On Tuesday, Wolgang Kandek, CTO of vulnerability and compliance management firm Qualys, wrote in a blog post that, along with paying “special attention” to the zero-days affecting users, that the critical IE patch (MS13-088) should be a priority, as it resolves 10 RCE vulnerabilities in the browser.

“Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets,” Kandek wrote.

Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.