Microsoft to patch latest IE zero day four days after disclosure

In an update, Dustin Childs, group manager, response communications at Microsoft Trustworthy Computing said that the vulnerability, CVE-2013-3918, which affects an Internet Explorer ActiveX Control, will be addressed in a critical bulletin due to be released today.

The vulnerability, which was detailed by FireEye last Friday, revealed that it can be used in drive-by download attacks as it leverages the information leakage vulnerability and an IE out-of-bounds memory access vulnerability to achieve code execution.

Dana Tamir, director of enterprise security product marketing at Trusteer, said: “This is the second Internet Explorer (IE) zero-day discovered in less than two months. Back in September, Microsoft released a ‘Fixit’ for a zero-day known asCVE-2013-3893. Again, this new zero-day exposes millions of IE users to drive-by downloads that they cannot protect against.

“Because no patches are available, exploitation of zero-day vulnerabilities is successfully use by Cybercriminals to deliver advanced malware to user machines. Once the malware is there, the cyber-criminal can gain full control over the machine and steal sensitive personal and business information. The only way to protect against zero-days is by using a technology that prevents the exploitation of application vulnerabilities, regardless of patch availability.”