Feeds

Happy 10th b-day, Patch Tuesday: TWO critical IE 0-day bugs, did you say?

A decade on, Microsoft pushes out 8 bulletins – half of 'em critical bug squishes

Security for virtualized datacentres

Microsoft delivered no fewer than eight bulletins to mark the tenth anniversary of Patch Tuesday, including a fix covering two zero-day vulnerabilities in Internet Explorer.

A critical patch for all supported versions of IE covers a well-anticipated fix for the CVE-2013-3893 vulnerability, which has been associated with cyber espionage-style attacks against targets in Japan, Taiwan and elsewhere in Asia since late August.

Microsoft also released a bonus extra fix for another in-the-wild browser bug. The same MS13-080 bulletin also covers the CVE-2013-3897 vulnerability that has become the target of attacks over the last two weeks or so. FireEye was the first to discover a malware campaign (dubbed Operation DeputyDog) linked to the CVE-2013-3893 security bug, while Trustwave SpiderLabs is claiming the credit for fingering the CVE-2013-3897 flaw.

"MS13-080 also addresses CVE-2013-3897 in an interesting case that illustrates the concurrent discoveries of vulnerabilities," explains Wolfgang Kandek, CTO of cloud security firm Qualys, in a blog post.

"The vulnerability underlying CVE-2013-3897 was found internally at Microsoft and would have been fixed in MS13-080 as part of the normal security engineering and hardening that the product undergoes constantly. However, in the last two weeks, attacks against the same vulnerability became public – again, limited and targeted in scope – but since the fix was in the code already, it enabled Microsoft to address the vulnerability, CVE ID CVE-2013-3897, in record time."

Microsoft explains that the MS13-080 bulletin “fixes multiple security issues, including two critical vulnerabilities that haven't been actively exploited in limited targeted attacks.”

All versions of IE, from 6 to 11, need patching with updates that tackle 10 vulnerabilities in total.

The MS13-080 bulletin is by far the most important of the October batch but Redmond is also releasing three other critical fixes and four "important" security bulletins. The batch, which marks the tenth anniversary of Patch Tuesday, collectively grapples with 26 vulnerabilities.

The critical MS13-081 update addresses seven vulnerabilities in the Windows kernel, including problems in font handling, and can be triggered remotely through malicious web pages and maliciously formatted Office documents. Bugs in Microsoft's .NET Framework and finally a vulnerability in Windows Common Control Library (64 bit only) occupy the remaining two berths on the critical list.

The upshot is that everything from Windows XP up to and including Windows 8 and Windows RT will need patching to defend against security bugs that are more problematic for desktop systems.

Noteworthy "important" vulnerabilities MS13-085 and MS13-086, both cover remote code execution-type vulnerabilities in Microsoft Excel and Microsoft Word, respectively. Security watchers are more worried about the potential for mischief from these bugs than Microsoft itself.

The two other "important" updates cover lesser security bugs in Microsoft Silverlight 5 and Redmond's Sharepoint portal server software.

Microsoft's advisory and an easier to understand graphical overview from the SANS Institute's Internet Storm Centre provide more information.

Adobe – fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers – separately delivered a patch for its Acrobat and Reader software. Adobe also patched its RoboHelp software. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.