Patch Tuesday Fixes Zero Day

Wednesday, November 13, 2013 @ 06:11 AM gHale


Patch Tuesday for Microsoft meant the software giant addressed 19 unique vulnerabilities including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others.

They also fixed the Zero Day vulnerability in Internet Explorer disclosed by FireEye over the weekend.

Of the advisories, the three most critical patches are the Internet Explorer patch (MS13-088), GDI (MS13-089), and the Zero Day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.

RELATED STORIES
Zero Day: Microsoft Under Attack
Microsoft Reinstates Update Tablet
Patch Tuesday Fixes Zero Days
Big Security Patch from Oracle

“Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action,” said Dustin Childs, group manager of Microsoft Trustworthy Computing.

Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin, making this a high-priority issue.

Microsoft also disclosed a Zero Day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.

Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the Web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While there have been no reported attacks exploiting these vulnerabilities, the fact that so many versions of Windows and Internet Explorer are affected means this patch should roll out as soon as possible.

The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability.

The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.



Leave a Reply

You must be logged in to post a comment.