October’s Patch Tuesday held a surprise for those who were eagerly anticipating a patch for a widely exploited Internet Explorer zero-day vulnerability: A second and unexpected zero-day patch for the popular browser.
Unlike the first zero-day that has been key to multiple targeted attacks in the wild like the water-hole style attack dubbed “Operation DeputyDog” and the compromise of security vendor Bit9 earlier this year, this second zero-day has been exploited in more generic attacks for about one month.
“It is being used to distribute general malware. Unlike the previous zero day in IE, this one distributes malware to steal credentials from online gamers, or disrupt access to banking sites. It’s general malware, not targeted attacks,” said SpiderLabs’ Director of Security Research Ziv Mador, who are credited with discovering the attacks.
“The exploit is not trivial and these types of exploits are often not trivial. They require a number of quite creative combinations to work. That was the case here,” Mador said.
In this month’s Patch Tuesday releases, Microsoft corrected four vulnerabilities rated as being critical, and four more rated as important for products including the .NET Framework, Windows, Microsoft Office, and the already mentioned Internet Explorer zero-day.
Complete analysis of all of the Patch Tuesday mitigations, see the October Patch Tuesday VERT Alert here.
Read More Here…