Patch/Configuration Management, Vulnerability Management

Patch Tuesday provides one zero-day fix, while patch for another still looms

Microsoft's monthly security update addresses a freshly discovered zero-day vulnerability that was actively compromising users via drive-by download attacks.

The Patch Tuesday release was dispatched today for users, and included eight bulletins that rectify 19 unique vulnerabilities in Windows, Internet Explorer and Office.

Prior to the update, organizations awaited fixes for two zero-day flaws: a remote code execution bug disclosed by FireEye last Friday, (CVE-2013-3918), which was addressed; and another zero-day, made public last Tuesday, that has yet to receive a permanent fix.

The unpatched zero-day (CVE-2013-3906) is also a remote code execution flaw that exists in the way affected components handle specially crafted TIFF images, according to Microsoft advisory released last week. An attacker could exploit the bug by getting users to preview or open specially crafted email messages, files or web pages.

So far, Microsoft has released a “Fix It,” or temporary workaround, to help thwart exploitation of the bug, which affects Office 2003, 2007 and 2010 and versions of Windows Operating System and Microsoft Lync.

As for other major fixes that made the Patch Tuesday list this month, bulletins MS13-088, MS13-089, and MS13-090 fixed critical remote code execution bugs in Windows and IE, including the ActiveX zero-day disclosed by FireEye.

According to the security firm, which specializes in advanced cyber threats, the zero-day exploit was hosted on a U.S.-based site, compromising visitors via a method dubbed “watering hole attacks” by researchers.

In addition, the five remaining bulletins in the update addressed bugs ranked “important” in Office and Windows, which could lead to remote code execution (RCE), elevation of privilege for an attacker, denial of service attacks and information disclosure.

On Tuesday, Wolgang Kandek, CTO of vulnerability and compliance management firm Qualys, wrote in a blog post that, along with paying “special attention” to the zero-days affecting users, that the critical IE patch (MS13-088) should be a priority, as it resolves 10 RCE vulnerabilities in the browser.

“Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets,” Kandek wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.