Microsoft: One less bug fixed on Patch Tuesday

Microsoft has updated one of their security bulletins with the news that one of the vulnerabilities listed in it wasn't actually patched.

Microsoft on Thursday updated one of the security bulletins they released on Tuesday. MS13-080, a cumulative update for Internet Explorer, previously listed 10 vulnerabilities, and now lists only nine.


The vulnerability is CVE-2013-3871, and was described in the original bulletin as a memory corruption vulnerability, with this vague elaboration:

Remote code execution vulnerabilities exist when Internet Explorer improperly accesses an object in memory. These vulnerabilities could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

The other none vulnerabilities are also memory corruption vulnerabilities.

A notice sent on a mailing list from Microsoft said that including the vulnerability in the bulletin was an error, and that it was not, in fact, included in the MS13-080 update code. "CVE-2013-3871 is scheduled to be addressed in a future security update. "

The original version (thank you Wayback Machine) also credits Simon Zuckerbraun, working with HP's Zero Day Initiative, for reporting the vulnerability to Microsoft.