On Friday, researchers at security firm FireEye shared details of critical vulnerabilities they had discovered in Internet Explorer and - worse - that it was being actively exploited by cybercriminals.
A blog post by Dustin Childs of Microsoft’s Trustworthy Computing group shares the good news that the security flaws are already set to be fixed in this month’s regular Patch Tuesday bundle, due to be released tomorrow.
Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update.
It’s good news that Microsoft has a fix already in the works, and ready for public use so quickly, as security researchers claim that they have seen malware capable of using the exploit to load directly into targeted computers’ memory, bypassing the hard drive.
The “diskless” nature of the threat poses extra challenges for companies attempting to determine if any of their computers have been compromised.
(Note to readers: the security flaws uncovered by FireEye are different from the current TIFF image zero-day vulnerability, a fix for which seems unlikely to be ready for Patch Tuesday)
It should go without saying - if you run Microsoft software on your computer, you need to pay attention when they issue their security updates, and consider rolling them out across your PCs as quickly as possible.
Indeed, if you are a home user then the best approach is almost certainly to enable automatic updates for important security fixes like this.