Microsoft Patch Tuesday Repairs Two IE Zero-Day Flaws


Microsoft issued eight security bulletins on Tuesday, repairing 26 flaws throughout its product portfolio including two Internet Explorer zero-day vulnerabilities actively targeted by attackers in the wild.

The software maker also announced it awarded a $100,000 prize to a researcher for demonstrating a unique way to bypass the company's built-in security controls.

Four of the eight security bulletins Microsoft issued as part of its October 2013 Patch Tuesday were rated critical, including a widely expected bulletin repairing 10 flaws in the Web browser. Other critical issues Microsoft repaired included repairs to the Windows Kernel-Mode Drivers, fixes to remote code execution vulnerabilities in the .Net Framework and an update to the Windows Common Control Library.

 

[Related: Top 10 Malware Threats To Microsoft PCs]

The browser update impacts all supported versions of Internet Explorer. It repairs a known zero-day flaw that was used in carrying out the Bit9 data breach. The update also repairs a second actively targeted zero-day flaw impacting IE8 running on Windows XP and Windows 7. The attack appears to be used in financially motivated attacks targeting banking users in Korea and Japan, according to analysis conducted by security firm Trustwave, which is credited with detecting the flaw.

"The attacks so far seem to be limited to one part of the world," Trustwave said. "However, as with most zero-days, their exploitation tends to increase rapidly following disclosure so we expect to see more activity related to this zero-day in the future."

Security updates impacting Internet Explorer could be getting some enterprises to consider switching to Mozilla Firefox or Google's Chrome browser, said Tyler Reguly, technical manager of security research and development at vulnerability management vendor Tripwire. Automated updates that trigger in the background for both alternative browsers make them more secure for some enterprises, Reguly said.

"Unfortunately users are always going to be at risk of component flaws such as Java, Flash and PDF vulnerabilities," Reguly told CRN. "Some enterprises making the move to other browsers might worry about incompatibilities, but those are now far and few between."

Reguly and other vulnerability management experts said the other critical bulletins to Windows and the .NET framework are also frequent occurrences throughout the year. The update fixing seven flaws in the Windows Kernel-mode drivers impacts the way Windows addresses shared content using OpenType or TrueType font files. The update is critical because an exploit targeting the errors could easily be created and used in drive-by attacks. Most of the errors enable elevation of privileges and could be used in a two-pronged attack, according to Reguly.

NEXT: Microsoft's Bug Bounty Program Pays Out