Patch Tuesday: Microsoft Addresses Dangerous Browser Flaw In Critical Update

Microsoft Tuesday issued a bevy of software fixes, addressing a dangerous zero-day vulnerability in an outdated component of Internet Explorer that attackers are actively targeting.

The software giant's November 2013 Patch Tuesday included eight bulletins, three critical, repairing 19 vulnerabilities in Windows, Office and its Hyper-V virtualization server software.

Solution providers told CRN that the focus of this month's update will be on testing and deploying a fix to repair 10 Internet Explorer vulnerabilities and an update that removes support for a dangerous zero-day flaw in an outdated ActiveX component that the browser uses.

[Related: Microsoft Zero-Day Attacks Tied To Group Responsible For Bit9 Breach ]

Sponsored post

Security researchers had detected the ActiveX component being used in targeted attacks against some U.S. businesses. The zero-day exploit targeted users of Internet Explorer 7 and 8 running on Windows XP. Windows 7 users were also at risk, said Elia Florio, a software engineer at Microsoft's Security Response Center. Florio said Windows XP users were at a higher risk because the operating system lacks the newer security technologies designed to thwart an attack against users of Windows 7 and higher.

The zero-day exploit was detected by researchers at security vendor FireEye who discovered it hosted on a breached website. Microsoft has been phasing out browser ActiveX components in recent years. The browser update impacts all supported versions of Internet Explorer. The company's security bulletin indicated a variety of coding errors, including flaws that could enable remote code execution and be used in drive-by attacks or to get a user to visit a malicious website.

Microsoft said engineers are still testing an update for a second Internet Explorer zero-day vulnerability impacting Windows Vista users. Attacks have been ongoing, targeting individuals in the Middle East and South Asia. Microsoft has issued a temporary patch that can be used to prevent the flaw from being targeted

Solution providers said that although the browser and ActiveX patches need to be rolled out rapidly, thorough testing is necessary for businesses that require Internet Explorer and Windows to run critical applications. Rolling out a patch without thoroughly updating it can break applications, said Rob Kraus, director of research at Omaha, Neb.-based managed security services provider Solutionary.

Microsoft also repaired a critical flaw in its graphics device interface that attackers could target by sending a victim a malicious WordPad document. The update impacts every supported version of Windows.

NEXT: Microsoft Issues Patches For Office And Hyper-V, Warning For DirectAccess

In addition, three vulnerabilities in Microsoft Office were repaired, and vulnerability management experts said patching administrators should deploy the updates as soon as possible. Every supported version of Microsoft Office is impacted, and attackers will likely attempt to create an exploit targeting the flaws, said Marc Maiffret, chief technology officer of BeyondTrust, in his analysis of the latest round of updates.

In addition Microsoft released an important-rated security update to Hyper-V that an attacker could use to cause a virtual machine to crash. The update impacts users of Hyper-V on Windows 8 and Windows Server 2012.

Microsoft also issued a security advisory, warning businesses about a vulnerability in how DirectAccess authenticates DirectAccess server connections to DirectAccess clients. The technology was designed to provide a secure connection to the corporate intranet. The flaw could be used during a man-in–the-middle attack to establish connections with a computer and sniff encrypted network traffic. The update impacts all supported versions of Windows. Microsoft said it was not aware of any active attacks targeting them.