Patch Tuesday provides one zero-day fix, while patch for another still looms

Share this article:

Microsoft's monthly security update addresses a freshly discovered zero-day vulnerability that was actively compromising users via drive-by download attacks.

The Patch Tuesday release was dispatched today for users, and included eight bulletins that rectify 19 unique vulnerabilities in Windows, Internet Explorer and Office.

Prior to the update, organizations awaited fixes for two zero-day flaws: a remote code execution bug disclosed by FireEye last Friday, (CVE-2013-3918), which was addressed; and another zero-day, made public last Tuesday, that has yet to receive a permanent fix.

The unpatched zero-day (CVE-2013-3906) is also a remote code execution flaw that exists in the way affected components handle specially crafted TIFF images, according to Microsoft advisory released last week. An attacker could exploit the bug by getting users to preview or open specially crafted email messages, files or web pages.

So far, Microsoft has released a “Fix It,” or temporary workaround, to help thwart exploitation of the bug, which affects Office 2003, 2007 and 2010 and versions of Windows Operating System and Microsoft Lync.

As for other major fixes that made the Patch Tuesday list this month, bulletins MS13-088, MS13-089, and MS13-090 fixed critical remote code execution bugs in Windows and IE, including the ActiveX zero-day disclosed by FireEye.

According to the security firm, which specializes in advanced cyber threats, the zero-day exploit was hosted on a U.S.-based site, compromising visitors via a method dubbed “watering hole attacks” by researchers.

In addition, the five remaining bulletins in the update addressed bugs ranked “important” in Office and Windows, which could lead to remote code execution (RCE), elevation of privilege for an attacker, denial of service attacks and information disclosure.

On Tuesday, Wolgang Kandek, CTO of vulnerability and compliance management firm Qualys, wrote in a blog post that, along with paying “special attention” to the zero-days affecting users, that the critical IE patch (MS13-088) should be a priority, as it resolves 10 RCE vulnerabilities in the browser.

“Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets,” Kandek wrote.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.