Microsoft Patch Tuesday fixes two separate IE zero-day flaws

Microsoft released eight security bulletins, and one fixes two flaws in IE already being exploited in the wild.

Today is Patch Tuesday. It also happens to be the 10-year anniversary of the monthly security patch update. For October, Microsoft released eight new security bulletins--four rated as Critical and four Important. There is one in particular, though, that deserves the most urgent attention.

MS13-080--the cumulative security update for Internet Explorer--addresses a total of 10 separate vulnerabilities affecting all supported versions of the Web browser. But, the urgency for applying this update stems from the fact that two of the vulnerabilities addressed are zero-day flaws that are already being actively exploited in the wild.

"Many people have been on their toes watching the IE exploit since it first became public in mid-September," says Andrew Storms, senior director of DevOps for CloudPassage. "Despite the exploit being used in a watering hole attack and Metasploit releasing a module for the exploit, Microsoft did not find it necessary to release the fix out of band."

"So far these bugs are only being exploited in limited attacks, but users are still strongly encouraged to patch IE as soon as possible," says Lamar Bailey, director of security research and development for Tripwire. "Now that a patch is available we expect to see a rise in the number of attacks using these vulnerabilities."

Storms agrees, cautioning IT admins and users not to take Microsoft's leisurely pace as a justification to sit on this one. "Regardless of Microsoft's decision to not go out-of-band, users should prioritize the fix at the top of their list," he says.

Internet Explorer doesn't have a monopoly on the fun this month. There are two other security bulletins that follow closely behind the Internet Explorer cumulative security update in terms of urgency.

MS13-081 addresses seven vulnerabilities in kernel-mode drivers affecting all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. Two of the flaws are related to font-parsing and could enable an attacker to remotely execute malicious code if successfully exploited.

"Both of the font vulnerabilities will be a prime target for attackers in the near future, since these types of vulnerabilities have proven to be useful in targeted attacks in the past," says Marc Maiffret, CTO at BeyondTrust. "Administrators should deploy this patch as soon as possible."

Ross Barrett, senior manager of security engineering at Rapid7, says that it's important to apply the MS13-083 update as soon as possible as well. "This is a genuine article; a real, honest to goodness, potentially 'wormable' condition," he says. "If the 'bad guys' figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested."

Microsoft has released a total of 87 security bulletins so far this year. That puts them 17 ahead of last year's pace, and if the average pace of security bulletins continues for the next couple of months it will easily put Microsoft over 100 security bulletins for the year--a dubious milestone that Microsoft has only achieved a few times. However, the number of bulletins should also be viewed from the perspective that Microsoft has stepped up the pace for addressing identified vulnerabilities, and it is patching a growing number of supported platforms and applications.

"A quick congratulations to Microsoft as their flaw remediation program officially turns 10 this month," says Paul Henry, security and forensics analyst at Lumension. "October 2003 marked the first proactive patch issue from Microsoft, on a Wednesday to start. Patch Tuesdays started the following month and, over the last decade, has positively impacted IT's ability to make informed decisions."

Wolfgang Kandek, CTO of Qualys, also reflects on the anniversary of Patch Tuesday in a blog post: "Our perspective has certainly evolved from 10 years ago when Patch Tuesday was started. Back then, vulnerabilities were clear cut and straightforward to understand, today the amount of complexity that goes into the detection and remediation process is truly impressive. At the same time, attackers have shifted to client side vulnerabilities, a change that we only partly assimilated; we are good in addressing the browser vulnerabilities, but generally lag behind in other areas that will be in focus this month such as Adobe Reader and Java."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityWindowssoftwareoperating systemsInternet Explorerbusiness security

More about Adobe SystemsAndrew Corporation (Australia)LumensionMicrosoftQualysRapid7Tripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts