Microsoft will patch the zero-day in Internet Explorer next week among a batch of eight bulletins.
On its next Patch Tuesday, the zero-day will be covered along with three other critical issues in Windows and the .Net framework. Also, four important patches will be released for Office, Silverlight and Server Software.
Wolfgang Kandek, CTO of Qualys, said: “Microsoft has had a turbulent two weeks since their security advisory KB2887507, which detailed CVE-2013-3893, a zero-day vulnerability in Internet Explorer that was being used for targeted attacks in Asia. Since then, we have seen research that links the exploit to malware as early as August. There also have been reports of the exploit starting to be used in a more widespread manner by other cyber criminal groups, and its release as a metasploit module just this week. A workaround (Fix-It)
has been available since 17th September.
“But this situation is now resolved: Bulletin #1 is for Internet Explorer and addresses the recent zero-day. This is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites.”
Tyler Reguly, technical manager of security research and development at Tripwire, said: “Microsoft is releasing eight bulletins this month. Once again, the behemoth of SharePoint is on the list. At this point, given how vulnerable Sharepoint has been lately and how difficult it is to patch, you have to wonder if it still provides value over similar offerings.
“The good news is that it looks like the Microsoft zero-day will be resolved. While I would have liked to see a faster turnaround, you still have to give Microsoft props for the quick patch turnaround.”