Microsoft to patch actively-exploited zero-day flaw on Tuesday


Explorer patchOn Friday, researchers at security firm FireEye shared details of critical vulnerabilities they had discovered in Internet Explorer and - worse - that it was being actively exploited by cybercriminals.

A blog post by Dustin Childs of Microsoft’s Trustworthy Computing group shares the good news that the security flaws are already set to be fixed in this month’s regular Patch Tuesday bundle, due to be released tomorrow.

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update.

It’s good news that Microsoft has a fix already in the works, and ready for public use so quickly, as security researchers claim that they have seen malware capable of using the exploit to load directly into targeted computers’ memory, bypassing the hard drive.

The “diskless” nature of the threat poses extra challenges for companies attempting to determine if any of their computers have been compromised.

(Note to readers: the security flaws uncovered by FireEye are different from the current TIFF image zero-day vulnerability, a fix for which seems unlikely to be ready for Patch Tuesday)

It should go without saying - if you run Microsoft software on your computer, you need to pay attention when they issue their security updates, and consider rolling them out across your PCs as quickly as possible.

Indeed, if you are a home user then the best approach is almost certainly to enable automatic updates for important security fixes like this.

Tags: , , , , , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , , , ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.