Patch Tuesday: Microsoft Addresses Dangerous Browser Flaw In Critical Update


Microsoft Tuesday issued a bevy of software fixes, addressing a dangerous zero-day vulnerability in an outdated component of Internet Explorer that attackers are actively targeting.

The software giant's November 2013 Patch Tuesday included eight bulletins, three critical, repairing 19 vulnerabilities in Windows, Office and its Hyper-V virtualization server software.

Solution providers told CRN that the focus of this month's update will be on testing and deploying a fix to repair 10 Internet Explorer vulnerabilities and an update that removes support for a dangerous zero-day flaw in an outdated ActiveX component that the browser uses.

 

[Related: Microsoft Zero-Day Attacks Tied To Group Responsible For Bit9 Breach ]

Security researchers had detected the ActiveX component being used in targeted attacks against some U.S. businesses. The zero-day exploit targeted users of Internet Explorer 7 and 8 running on Windows XP. Windows 7 users were also at risk, said Elia Florio, a software engineer at Microsoft's Security Response Center. Florio said Windows XP users were at a higher risk because the operating system lacks the newer security technologies designed to thwart an attack against users of Windows 7 and higher.

The zero-day exploit was detected by researchers at security vendor FireEye who discovered it hosted on a breached website. Microsoft has been phasing out browser ActiveX components in recent years. The browser update impacts all supported versions of Internet Explorer. The company's security bulletin indicated a variety of coding errors, including flaws that could enable remote code execution and be used in drive-by attacks or to get a user to visit a malicious website.

Microsoft said engineers are still testing an update for a second Internet Explorer zero-day vulnerability impacting Windows Vista users. Attacks have been ongoing, targeting individuals in the Middle East and South Asia. Microsoft has issued a temporary patch that can be used to prevent the flaw from being targeted

Solution providers said that although the browser and ActiveX patches need to be rolled out rapidly, thorough testing is necessary for businesses that require Internet Explorer and Windows to run critical applications. Rolling out a patch without thoroughly updating it can break applications, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary.

Microsoft also repaired a critical flaw in its graphics device interface that attackers could target by sending a victim a malicious WordPad document. The update impacts every supported version of Windows.

NEXT: Microsoft Issues Patches For Office And Hyper-V, Warning For DirectAccess