Microsoft: October Patch Tuesday vulnerability patched in November

[Correction: ] One of the October Internet Explorer vulnerabilities wasn't patched until November
Written by Larry Seltzer, Contributor on

[CORRECTION: My first take on this was just plain wrong. The update I read in the security bulletin was in the October Patch Tuesday bulletin, not the November bulletin. I was partly confused because it's unusual for Microsoft to have Cumulative Updates for Internet Explorer two months in a row, as they did in October and November. My apologies to you and to Microsoft, but what happened is still interesting, so here goes:]

Two days after the October Patch Tuesday updates, Microsoft corrected one of the security bulletins for that month to indicate that they had not in fact patched one of the vulnerabilities listed in it. That vulnerability — CVE-2013-3871 — was, in fact, patched in the November updates, specifically as part of MS13-088: Cumulative Security Update for Internet Explorer.

The initial bulletin was MS13-080: Cumulative Security Update for Internet Explorer — note that both are Cumulative Updates. It originally listed 10 vulnerabilities, one of them CVE-2013-3871. The vulnerability was credited to Simon Zuckerbraun working with HP's Zero Day Initiative.

Microsoft gave essentially no description of the vulnerability, either in October or November, beyond the title: Internet Explorer Memory Corruption Vulnerability.

Symantec has a little more explanation in their description of the bug, although this text is also boilerplate for such a vulnerability:

Microsoft Internet Explorer is prone to a memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer 6, 7, 8, 9, and 10 are affected.
Editorial standards