SOFTWARE PATCHER Microsoft issued a handful of software patch bulletins in its November Patch Tuesday release, one of which addressed a dangerous zero-day vulnerability in an outdated component of Internet Explorer.
The patch release includes eight bulletins, three of which are rated "critical", repairing 19 vulnerabilities in Windows, Microsoft Office and the firm's Hyper-V virtualisation server software. However, the patch release is focused on testing and deploying a fix to repair 10 Internet Explorer (IE) vulnerabilities and an update that removes support for a dangerous zero-day flaw in an outdated IE Activex component.
The zero-day exploit was detected by researchers at security vendor Fireeye who discovered it hosted on a compromised website. The exploit targeted users of IE7 and IE8 running on Windows XP.
"An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user," Microsoft advised. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
Security firm Qualys highlighted the zero-day vulnerability as "the top of our priority list of patches" and it is addressed in bulletin MS13-090, which implements a killbit setting that disables the affected Activex control.
"The attack vector here is a malicious webpage configured for a drive-by download attack," said Qualys CTO Wolfgang Kandek.
Microsoft said engineers are still testing an update for a second Internet Explorer zero-day vulnerability impacting Windows Vista users and it has issued a temporary patch that can be used to prevent the flaw from being exploited.
Qualys explained that the remaining bulletins in the Patch Tuesday release cover "normal" vulnerabilities that were disclosed in a coordinated fashion to Microsoft, and that the highest priority goes to MS13-088, the Internet Explorer bulletin that fixes 10 vulnerabilities. This bulletin is rated "critical" and covers all versions of Internet Explorer, from IE6 to IE11. The vulnerabilities addressed could be abused to gain Remote Code Execution (RCE), all by simply browsing to a malicious website.
The remaining vulnerabilities are all less critical, rated "important" and can be addressed in the normal patch schedule, Qualys advised. µ