Microsoft to patch actively-exploited zero-day flaw on Tuesday

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Explorer patchOn Friday, researchers at security firm FireEye shared details of critical vulnerabilities they had discovered in Internet Explorer and – worse – that it was being actively exploited by cybercriminals.

A blog post by Dustin Childs of Microsoft’s Trustworthy Computing group shares the good news that the security flaws are already set to be fixed in this month’s regular Patch Tuesday bundle, due to be released tomorrow.

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update.

It’s good news that Microsoft has a fix already in the works, and ready for public use so quickly, as security researchers claim that they have seen malware capable of using the exploit to load directly into targeted computers’ memory, bypassing the hard drive.

Sign up to our free newsletter.
Security news, advice, and tips.

The “diskless” nature of the threat poses extra challenges for companies attempting to determine if any of their computers have been compromised.

(Note to readers: the security flaws uncovered by FireEye are different from the current TIFF image zero-day vulnerability, a fix for which seems unlikely to be ready for Patch Tuesday)

It should go without saying – if you run Microsoft software on your computer, you need to pay attention when they issue their security updates, and consider rolling them out across your PCs as quickly as possible.

Indeed, if you are a home user then the best approach is almost certainly to enable automatic updates for important security fixes like this.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.