Microsoft: October Patch Tuesday vulnerability patched in November

[Correction: ] One of the October Internet Explorer vulnerabilities wasn't patched until November

[CORRECTION: My first take on this was just plain wrong. The update I read in the security bulletin was in the October Patch Tuesday bulletin, not the November bulletin. I was partly confused because it's unusual for Microsoft to have Cumulative Updates for Internet Explorer two months in a row, as they did in October and November. My apologies to you and to Microsoft, but what happened is still interesting, so here goes:]

Two days after the October Patch Tuesday updates , Microsoft corrected one of the security bulletins for that month to indicate that they had not in fact patched one of the vulnerabilities listed in it. That vulnerability — CVE-2013-3871 — was, in fact, patched in the November updates , specifically as part of MS13-088: Cumulative Security Update for Internet Explorer.

The initial bulletin was MS13-080: Cumulative Security Update for Internet Explorer — note that both are Cumulative Updates. It originally listed 10 vulnerabilities, one of them CVE-2013-3871. The vulnerability was credited to Simon Zuckerbraun working with HP's Zero Day Initiative.

Microsoft gave essentially no description of the vulnerability, either in October or November, beyond the title: Internet Explorer Memory Corruption Vulnerability.

Symantec has a little more explanation in their description of the bug, although this text is also boilerplate for such a vulnerability:

Microsoft Internet Explorer is prone to a memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions. Microsoft Internet Explorer 6, 7, 8, 9, and 10 are affected.