Among eight patches released yesterday by Microsoft, the zero-day in Internet Explorer was finally covered after in the wild attacks were reported.
Released last night on its monthly Patch Tuesday, MS13-080 now patches two vulnerabilities that are in the wild and as described in Security Advisory 2887505, an attacker who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer.
Wolfgang Kandek, CTO of Qualys, said: “This fixes ten vulnerabilities, including CVE-2013-3893, the zero-day that Microsoft originally acknowledged in September as having limited and targeted attacks in Asia. Since the volume continued to stay low, even after Metasploit added their implementation, Microsoft opted for a normal release schedule during Patch Tuesday, which places the least stress on IT organisations.
“MS13-080 also addresses CVE-2013-3897 in an interesting case that illustrates the concurrent discoveries of vulnerabilities. The vulnerability underlying CVE-2013-3897 was found internally at Microsoft and would have been fixed in MS13-080 as part of the normal security engineering and hardening that the product undergoes constantly.
“However, in the last two weeks, attacks against the same vulnerability became public, again limited and targeted in scope, but since the fix was in the code already, it enabled Microsoft to address the vulnerability in record time.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “It’s been an interesting month for the Microsoft Security watchers of the world. If your job depends on securing systems running Windows, you should be eagerly awaiting the patch for the Internet Explorer (IE) 0-day (CVE-2013-3893: SetMouseCapture Use-After-Free) vulnerability in today’s Patch Tuesday (MS13-080).
“Exploitation of this vulnerability was detected first in targeted, regionally restricted exploitation, and then later in broader use once the exploit code spread to various public sites. Hopefully users have applied the Microsoft FixIt and/or EMET mitigations, and maybe even tested them with the Metasploit module that came out last week.
“Now, that’s not to say that the remaining eight IE vulnerabilities are not potentially just as bad or worse. However, at least at this time, they are not known to be in use.”
Lamar Bailey, director of security research and development at Tripwire, said: “So far these bugs are only being exploited in limited attacks, but users are still strongly encouraged to patch IE as soon as possible. Now that a patch is available we expect to see a rise in the number of attacks using these vulnerabilities.”
Of the remaining seven patches, three are classified as critical and four as important.
