Amidst all the buzz of late regarding a slew of Microsoft zero-day vulnerabilities being exploited in the wild, it’s slightly comforting to know that the company plans to mitigate at least one of the bugs in this latest round of Patch Tuesday updates.
CVE-2013-3918, which affects an Internet Explorer ActiveX Control, was publicly disclosed late last week, and it turned out that Microsoft was already aware of the flaw and working to put a patch together for this week’s updates.
“We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update,” wrote Microsoft’s Dustin Childs.
That’s the good news. The bad news is that there are at least two other zero-days that will not be patched in this round. The first is a TIFF image vulnerability also disclosed last week that is actively being exploited in targeted attacks using tainted Word documents sent by to victims via email.
Microsoft has released a temporary Fix it workaround that can block the attack by changing the configuration on the computer to prevent the rendering of the vulnerable graphic format, but it does not mitigate the vulnerability itself.
The other is the Internet Explorer zero-day Ephemeral Hydra, which researchers said is “a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.”
IE 8 on Windows XP and IE 9 on Windows 7 are vulnerable to the information leakage flaw, and
IE 7 and 8 on Windows XP and Windows 7 are affected by the memory access bug.