With Microsoft’s Patch Tuesday release today, researchers anticipated one zero-day fix, but it appears the update brought patches for two vulnerabilities being exploited in the wild.
The monthly security update, which also marked the 10th anniversary of Microsoft’s Patch Tuesday releases, included eight patches: four deemed “critical” and four ranked “important.” In total, the patches addressed 28 vulnerabilities in the company’s products, including two zero-day flaws affecting Internet Explorer: CVE-2013-3893 and CVE-2013-3897.
Security bulletin MS13-080 fixed both remote code execution bugs in IE, along with eight other privately reported bugs.
On Tuesday, Marc Maiffret, CTO of security firm BeyondTrust, wrote in a blog post that fixes for IE this month should be employed immediately as attackers have already begun to leverage them in attacks.
“In addition to the publicly disclosed vulnerability [CVE-2013-3893], another vulnerability,CVE-2013-3897, has also been seen in targeted attacks in the wild exploiting Internet Explorer 8 browsers,” Maiffret wrote, later advising users to “roll out this patch as soon as possible.”
On Tuesday, Daniel Chechik, a researcher on Trustwave’s security team SpiderLabs, revealed in a blog post that the privately reported zero-day, CVE-2013-3897 had been in the wild for the past month, and was being distributed via infected websites in campaigns that targeted Japanese and Korean users.
As for the publicly disclosed zero-day, CVE-2013-3893, Microsoft began warning users on Sept. 16 about the vulnerability when it released a temporary fix for the issue.
Not long after Microsoft’s advisory, researchers at advanced malware detection firm FireEye discovered that attackers infected at least three Japanese media websites to compromise users. The bug was eventually picked up in other campaigns, widening the geographical impact of the threat, FireEye said.
Aside from the critical bulletin addressing the IE bugs, the Patch Tuesday release also included three critical bulletins for remote code execution flaws in Windows and Microsoft .NET Framework.
In addition, the release fixed vulnerabilities ranked “important” in SharePoint Server, Excel, Word and Silverlight.
According to Microsoft’s security blog, the privately reported vulnerability in Silverlight could allow attackers to disclose users’ data if exploited.
Microsoft Silverlight is a free web browser plug-in used to create interactive web and mobile applications. To carry out the Silverlight exploit, an attacker would need to convince a user to visit a compromised website.