Microsoft: October Patch Tuesday vulnerability patched in November

Microsoft: October Patch Tuesday vulnerability patched in November

Summary: [Correction: ] One of the October Internet Explorer vulnerabilities wasn't patched until November

TOPICS: Security, Windows

[CORRECTION: My first take on this was just plain wrong. The update I read in the security bulletin was in the October Patch Tuesday bulletin, not the November bulletin. I was partly confused because it's unusual for Microsoft to have Cumulative Updates for Internet Explorer two months in a row, as they did in October and November. My apologies to you and to Microsoft, but what happened is still interesting, so here goes:]

Two days after the October Patch Tuesday updates, Microsoft corrected one of the security bulletins for that month to indicate that they had not in fact patched one of the vulnerabilities listed in it. That vulnerability — CVE-2013-3871 — was, in fact, patched in the November updates, specifically as part of MS13-088: Cumulative Security Update for Internet Explorer.

The initial bulletin was MS13-080: Cumulative Security Update for Internet Explorer — note that both are Cumulative Updates. It originally listed 10 vulnerabilities, one of them CVE-2013-3871. The vulnerability was credited to Simon Zuckerbraun working with HP's Zero Day Initiative.

Microsoft gave essentially no description of the vulnerability, either in October or November, beyond the title: Internet Explorer Memory Corruption Vulnerability.

Symantec has a little more explanation in their description of the bug, although this text is also boilerplate for such a vulnerability:

Microsoft Internet Explorer is prone to a memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer 6, 7, 8, 9, and 10 are affected.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • So did it install

    Going by them articles and executing the command (wmic qfe where hotfixid="KB2879017" get /all /format:list) it says on my machine that its installed (InstalledOn=10/9/2013). So Microsoft is getting pretty bad with their quality control lately.
    • That's all of MS13-080

      That refers to the overall cumulative update, not the specific vulnerability
    • So, you had to use the command line on. Windows machine?

      Where is Loverock and his absurd comments about Linux?
      • You don't have to.

        He just chose to.
      • lol

        Im a systems administrator and live on the cli. People may not know it but with powershell and WMIC, Windows cli can be a very powerful tool when administering nodes across a large enterprise.
        So yes, i always use the command line instead of a GUI because it gives me more control at the detail level i choose.
  • Everybody should be on IE11 now.

    Those with XP or Vista should get a Dell venue 8 for web surfing.
    Johnny Vegas
    • Issues

      What issues if any have you had with IE11 mate? Im reading mixed reports so haven't published this with WSUS as of yet.
    • No way Ie11 is for Touch and WIN8...........

      So keep your win8/ie11 comments to yourself.
      We are on WIN7 and IE10 and there we will be staying.

      Windows if aplie of C##P
      • IE 11 can be used without touch

        Just so you know.
        Michael Alan Goff
  • Just curious, how long until Metasploit publishes an exploit?

    Oh, well. At least it wasn't the vulnerability with the exploit currently in-the-wild.
    Rabid Howler Monkey
  • Errr.....

    It was previously announced that the released update would not include the vulnerability fix.
  • This was an update to an October, 2013, Patch Tuesday bulletin

    MS13-080 is from October, 2013. In addition, this revision for removing CVE-2013-3871 was made on October 10, 2013.
    Rabid Howler Monkey
  • Also, this omission by Microsoft was reported over a month ago at ZDNet

    And looking at Microsoft's Security Bulletin MS13-088 for November, 2013, CVE-2013-3871 appears to have been patched:
    Rabid Howler Monkey
  • Microsoft: One of the Patch Tuesday vulnerabilities not actually patched

    Already scheduled in a future update, was only shown at HP ZDI, not in the wild. So there is nothing to worry about.
  • My Computer crashed in October and then again in November

    There is definitely a quality control problem. It makes me wonder whether they are ITIL certified ???.
    • Or.....

      Maybe it's the crap on your damn computer. Never had a virus or malware on it? Don't put the blame on others when other no one has the problem you can't even describe. Makes me wonder if you know what ITIL certification means.