Microsoft to patch zero-day bug Tuesday

Microsoft to patch zero-day bug Tuesday

Summary: The zero-day attack identified by FireEye as a vulnerability in Internet Explorer will, apparently by happy coincidence, be patched Tuesday as part of Microsoft's regular monthly updates.

SHARE:
TOPICS: Security, Windows
11

Over the weekend, security company FireEye reported an unpatched vulnerability in Internet Explorer which was being used in a targeted zero-day attack against users of a particular web site.

windows-update

Today, Microsoft announced that the vulnerability will be patched Tuesday in one of their already-scheduled updates. Microsoft says the vulnerability, which has been given the ID CVE-2013-3918, affects an Internet Explorer ActiveX control, but the update that will fix it, Bulletin 3 or MS13-090, is identified as an update to Windows.

Microsoft identifies mitigation techniques, but under the circumstances (highly-targeted attack, patched tomorrow) it's probably not worth resorting to them.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Doesn't seem to add up ...

    The first two of the recommended mitigations for the vulnerability listed in Microsoft's announcement (linked in the article) include:

    o "Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones ... trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption"
    o "Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and local intranet security zones ... trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption."

    And from FireEye's 2nd blog article regarding the exploit:

    http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
    "The exploit chain was limited to one website. There were no iframes or redirects to external sites to pull down the shellcode payload."

    If the exploit is hosted at a frequently-visited, legitimate web site which is included in Internet Explorer's Trusted Zone, how will either of these particular mitigations help? Note that FireEye's first blog article did mention communication with the attacker's server:

    http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html
    "The timestamp [from the PE headers of msvcrt.dll] is sent back to the attacker’s server to choose the exploit with an ROP chain specific to that version of msvcrt.dll."

    Would this communication involve active scripting?

    P.S. Microsoft's recommended mitigation of deploying EMET does make sense based on FireEye's blog articles.

    P.P.S. If Microsoft's first two recommended mitigations are correct, then it seems that Enhanced Security Configuration (ESC) for Internet Explorer would also serve as a mitigation (if enabled on Windows server OSs).
    Rabid Howler Monkey
  • so here you're just contradicting

    your last article where you saw no reasons to buy a Chrome-book. You've written about Windows and IE zero-day vulns. and not once. Other people have done it too. It's been a pretty regular old news. How many times have you written about a similar exploited vulnerability on Chrome OS (or on Android?) I don't recall any.

    So, imho, you should have pointed this out when bashing Chrome-books that security is (at least) one reason to buy a chrome-book. I am sure it wasn't the deliberate omission...
    eulampius
    • eulampius: "security is (at least) one reason to buy a chrome-book"

      Have you forgotten this piece written on November 6, 2013, by Mr. Seltzer?

      "Google engineers rage at NSA"
      http://www.zdnet.com/google-engineers-rage-at-nsa-7000022874/
      "Summary: Google cryptography engineers explain their anger at the NSA for violating security systems they built to stop criminals."

      Remember that Chrome OS is primarily a thin client and that the storage medium for most, if not all, users of Chromebooks/Chromeboxes is Google's cloud. Thus, a violation of Google's cloud IS a violation of Chrome OS (and to a lesser extent, Android).

      As noted in one of comments on the article, "if the NSA can do it, others potentially can as well".
      Rabid Howler Monkey
      • Rabid, you know

        that this a completely different topic, son;t you? Chrome OS and why Google has been silly not encrypting their own traffic, not hardening their own OS, which is apparently what MS fails to do.
        eulampius
    • A flaw in your logic, Mr. Eulampius

      You logic would be correct if browsing the Internet were the only thing you ever did. But computers do much more. Chromebook is still a handicapped laptop that relies upon the cloud and is subject to all the problem therein.

      And please don' t tell me that you can do anything via a browser. First, that is not true; second, many of the cloud apps simply aren't as good as what you have inside your own computer.

      Doc
      Doc.Savage
      • Mr. Doc.Savage,

        I think, and not only I do, that a lot of people primarily browse Internet on their machines and barely do anything else. And BTW, I cannot do with MS Windows as much as I can with my GNU Linux system. As for the latter, there is a way to run concurrently with Chrome OS almost an entire GNU Linux desktop in chroot jail without any visible performance penalties. Even on an ARM-based chromebooks. it can be done suing the crouton project.
        Now tell again why do people need such an inconvenient, insecure, unreliable and so tough to maintain system called Microsoft Windows?
        eulampius
        • s/suing/using/

          no suing and lawyer are necessary :)
          eulampius
  • Microsoft to patch zero-day bug Tuesday

    That was a quick turn around time for this patch. Our security person already sent the email stating to expect the patch and install it as soon as its released.
    Loverock.Davidson
    • Mr. Davidson: "That was a quick turn around time for this patch"

      Was it? One wonders when Microsoft first became aware of the vulnerability as FireEye's first blog article on the subject was dated Friday, November 8, 2013. This is only five (5) days ago.

      In the past, Microsoft has been criticized for sitting on known vulnerabilities for too long. Hopefully, we'll get the details on the timing of the disclosure regarding this vulnerability later today when it is patched and attributions are made.
      Rabid Howler Monkey
    • It has to be a coincidence.

      There's no way Microsoft was reacting to this attack. Perhaps there was an earlier attack using it that got hushed up, but that's just speculation.
      larry@...
      • Possibly the patch has been ready for many months...

        but delayed because the NSA was using it...

        Now that it is public, they can release the patch... and angle for credit for being so "quick"..

        for the paranoid...:)
        jessepollard