Targeted attacks exploit now-patched Windows bug revealed by Google engineer

A second vulnerability -- in IE8 -- was also under attack prior to Patch Tuesday, Microsoft says

Microsoft this week said a pair of vulnerabilities, including one publicly disclosed by a Google security engineer in May, had been exploited in the wild before they were patched on Tuesday.

"Microsoft was aware of this vulnerability being used to achieve elevation of privilege in targeted attacks," the firm said in a security bulletin Tuesday that covered eight flaws in Windows' kernel-mode drivers -- one of them the vulnerability revealed two months before by Google researcher Tavis Ormandy.

Ormandy, who has had a contentious relationship with Microsoft for years, posted information about a then-unpatched bug in Windows on May 17. At the time, Ormandy called Microsoft's code "silly" and claimed that the Google rival had treated outside researchers with "great hostility" and was "very difficult to work with."

While Ormandy did not publicly reveal a working exploit, attack code was released soon after his disclosure.

On Tuesday, Microsoft said that the vulnerability Ormandy discussed was theoretically a critical flaw that hackers could use to plant malware on Windows PCs without users' knowledge, but asserted that most attacks would fail to meet that bar and instead would only let attackers gain additional access rights to a machine, making it less of a threat.

Microsoft patched the bug with MS13-053, one of six security updates released this week.

Another of those updates also fixed a flaw that had been exploited earlier.

Just days before Microsoft delivered MS13-055, an update for Internet Explorer (IE), the company's security team received a report from VeriSign iDefense, a bug bounty program that turns its findings over to Microsoft, that a researcher had located an in-the-wild exploit of an unpatched IE bug.

After patching the IE vulnerability, Microsoft confirmed the active attacks in a blog post and an addendum to the MS13-055 bulletin. "Microsoft is aware of targeted attacks attempting to exploit the vulnerability described in CVE-2013-3163 through Internet Explorer 8," the latter stated.

Microsoft urged all customers to install the MS13-053 and MS13-055 updates as soon as possible.

This article, Targeted attacks exploit now-patched Windows bug revealed by Google engineer, was originally published at Computerworld.com.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about windows in Computerworld's Windows Topic Center.

Tags: Google, security, Microsoft, Windows, software, operating systems

Over 200m Android devices exposed to buggy AppLovin ad library

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Continuity Management Solutions

Automate business-continuity and disaster-recovery planning and enable crisis management in one solution.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.