Microsoft to patch actively-exploited zero-day flaw on Tuesday

Graham Cluley

Explorer patchOn Friday, researchers at security firm FireEye shared details of critical vulnerabilities they had discovered in Internet Explorer and – worse – that it was being actively exploited by cybercriminals.

A blog post by Dustin Childs of Microsoft’s Trustworthy Computing group shares the good news that the security flaws are already set to be fixed in this month’s regular Patch Tuesday bundle, due to be released tomorrow.

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update.

It’s good news that Microsoft has a fix already in the works, and ready for public use so quickly, as security researchers claim that they have seen malware capable of using the exploit to load directly into targeted computers’ memory, bypassing the hard drive.

The “diskless” nature of the threat poses extra challenges for companies attempting to determine if any of their computers have been compromised.

(Note to readers: the security flaws uncovered by FireEye are different from the current TIFF image zero-day vulnerability, a fix for which seems unlikely to be ready for Patch Tuesday)

It should go without saying – if you run Microsoft software on your computer, you need to pay attention when they issue their security updates, and consider rolling them out across your PCs as quickly as possible.

Indeed, if you are a home user then the best approach is almost certainly to enable automatic updates for important security fixes like this.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.
Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES