Microsoft is repairing not just the zero-day vulnerability in Internet Explorer that has been under active exploitation for two weeks, but also a second IE bug.
Microsoft released its monthly Patch Tuesday security update, including fixes for a pair of critical zero-day flaws in the Internet Explorer Web browser. IE, however, isn’t the only critical area that Microsoft users need to be concerned about this month.
“There will be one thought on IT teams’ minds today: ‘Where did this second IE zero-day come from and why haven’t we heard about it?'” Tyler Reguly, technical manager of security research and development at Tripwire said. “The revelation of this extra little ‘gift’ in today’s bulletin makes installing the IE patch as soon as possible even more critical than usual.”
Lamar Bailey, director of security research and development at Tripwire noted that the MS13-080 bulletins covers multiple Common Vulnerabilities and Exposures (CVEs) associated with IE and two of these, CVE-2013-3897 and CVE-2013-3893, pertain to issues that are being exploited in the wild.
Among the flaws patched in the MS13-080 update for IE is the one identified as CVE 2013-3893. That particular flaw was first identified two weeks ago.
Attacks against the vulnerability have been occurring in the wild ever since. Until today, Microsoft had only made a “Fix-It” update available for the flaw providing a limited “band-aid” approach to mitigating the associated risk.
Microsoft has handled the CVE 2013-3893 situation professionally, Woflgang Kandek, CTO of security vendor Qualys, told eWEEK.
“They acknowledged the threat, and offered a work-around via a Fix-It, then monitored the situation to see how things were developing,” Kandek said.
At the same time, members of the Microsoft Active Protections Program (MAPP) were able to deploy their own counter-measures based on the shared exploit code and helped protect clients that updated their end-point protections, he said.
Microsoft was “ready to go out of band with a less-than-completely-tested package, but it turned out that it wasn’t necessary,” Kandek said, “as attacks did not reach the threshold that would warrant the additional complications and out-of-band would involve.”
Another critical set of issues that are being patched this month is detailed in the MS13-081 Bulletin titled, “Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution.”
“Remote code execution in the context of the Windows Kernel-Mode Drivers can allow attackers to gain complete control over an affected system with administrative rights,” Tommy Chin, technical support engineer at Core Security, said. “This one vulnerability potentially bundles remote code execution along with privilege escalation.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.