While network administrators will be relieved to find that this is the first Patch Tuesday bulletin in a several months that doesn’t affect Microsoft server software, the fact that the scheduled releases do not address the latest zero-day vulnerabilities means no one can rest easy.
“The most interesting piece of Microsoft’s November patch release is what’s missing – the TIFF zero-day and an Office (hxds.dll) ASLR update,” said Tripwire researcher Craig Young.
Last week Microsoft announced the discovery of a vulnerability in a Microsoft graphics component that is actively being exploited in targeted attacks using tainted Word documents sent by to victims via email.
The exploit requires the target to open the specially crafted Word Doc which contains a malformed graphics image embedded in the document, and has been linked to targeted attacks in the Middle East and South Asia.
Microsoft has released a temporary Fix it workaround that can block the attack by changing the configuration on the computer to prevent the rendering of the vulnerable graphic format, but it does not mitigate the vulnerability itself.
This month’s updates also show that new Microsoft software isn’t immune to flaws, as Office 2013, Internet Explorer 11, and Windows 8.1 will all receive patches on Tuesday.
“It’s a pretty typical patch Tuesday; Internet Explorer, Windows, and Office patches will ship, but unfortunately we won’t see a fix for the latest zero day,” said Tyler Reguly, technical manager of IT security research and development at Tripwire.
While the patch cycle may be typical, the discovery late last week of a new Internet Explorer zero-day means we all have to remain vigilant.
Researchers said “it’s a brand new IE zero-day that compromises anyone visiting a malicious website; classic drive-by download attack. The exploit leverages a new information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.”
IE 8 on Windows XP and IE 9 on Windows 7 are vulnerable to the information leakage flaw, and
IE 7 and 8 on Windows XP and Windows 7 are affected by the memory access bug.
Read More Here…