Sign in with
Sign up | Sign in

Microsoft Patches Not 1, but 2, Critical Internet Explorer Flaws

By - Source: Tom's Guide US | B 5 comments

Microsoft's latest round of Patch Tuesday monthly security updates is even more serious than expected, with a previously undisclosed critical vulnerability in Internet Explorer being patched along with a known critical exploit.

"The biggest surprise from this month's advisories is that Microsoft has addressed not one, but two, critical Internet Explorer zero-days," said Craig Young, security researcher at Portland, Ore., vulnerability-management provider Tripwire. "These fixes should be the highest priority for patch deployment, since both of these issues are being exploited in the wild."

Users of all versions of Microsoft Windows should avoid using Internet Explorer until the patches are installed and the PCs rebooted, as both vulnerabilities allow attackers to infect browsers that merely click on corrupted pages for an instant.

Microsoft had previously issued a temporary "Fix-it" for one of the IE holes, which is actively being used to attack government and financial websites in Japan and Taiwan. 

In its official security bulletin for October, Microsoft said it was "aware of targeted attacks" that tried to exploit the second IE vulnerability. It's a safe bet that many more attacks will arise over the next few days as malware writers reverse-engineer the patch.

MORE: 5 Free PC Security Programs Worth Downloading

Limited exposure for limited user accounts

Users who do all their Web browsing and emailing from "limited" user accounts that can't install or delete software will have some protection, as both Internet Explorer exploits can only gain system privileges matching those of the infected user.

"An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user," Microsoft's bulletin stated. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

However, other flaws in Windows addressed in the patches pushed out yesterday (Oct. 8) can escalate privileges beyond those of the infected user, giving the attacker full administrative rights over the PC.

"The most severe of these vulnerabilities could allow remote code execution if a user views shared content that embeds OpenType or TrueType font files," the security bulletin said. "An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."

Two other critical vulnerabilities being patched involved Microsoft's .NET Framework and ASP software, both of which could be used to attack Web browsers running on Windows.

Lesser patches, deemed merely "Important" in Microsoft's classification system, included fixes for vulnerabilities in Microsoft Excel, Office and Word, including Microsoft Office for Mac 2011.

To be fully protected as quickly as possible, users should go into Windows' Control Panel and set Windows Update to automatically install Microsoft patches.

“We released October's Security Bulletins, including MS13-080, to help protect customers using Internet Explorer," said Dustin Childs, group manager at Microsoft Trustworthy Computing. "The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically."

Unpatched government PCs may become sitting ducks

However, that may not protect U.S. government employees whose offices are closed during the ongoing federal shutdown. 

"While most of the government security staff was deemed essential, it is likely that many of the employee PCs and laptops were turned off, so it will be hard to patch them," John Pescatore, director of emerging technologies at the SANS Institute in Bethesda, Md., told Computerworld.

When those workers do get back to their desks and boot up their machines, it will take a day or two for the updates to be fully installed, providing a window of opportunity for attackers targeting U.S. government workers.

Adobe Systems, which has synchronized its patch schedule with Microsoft's, pushed out fixes for Acrobat XI and Reader XI for Windows. Previous versions of either product, as well as all those for Macs, are not affected.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    das_stig , October 9, 2013 11:21 AM
    "Unpatched government PCs may become sitting ducks" - Absolute rubbish and scare mongering. Most big companies an no doubt the Governments, have push updates via WSUS or similar service, so as long as they are on connected to the network or are WOL aware, they will give updated at some point.
  • 0 Hide
    DRosencraft , October 9, 2013 12:44 PM
    Actually, many gov't and industry PCs don't push updates until the IT dept reviews the update set. There are a number of reasons, not limited to guarantees of security. Not to mention the statement is by itself completely valid - a PC that is unpatched is in fact a sitting duck to any exploit based on the issue that wasn't patched. As the article goes on to note, if no one is around to turn the computers on, how exactly are they supposed to update? Even if a service can push updates, there is still that window of continued vulnerability if the systems aren't actually up and running until after the folks get back to work.
  • 0 Hide
    cushgod , October 9, 2013 12:56 PM
    @6DRosencraft, if the computers are off, how are they going to be infected.? chillpill
  • Display all 5 comments.
  • 2 Hide
    itsmekirill , October 9, 2013 1:42 PM
    I'm sort of amused by how Patch Tuesday is always a big event and people always bemoan the latest vulnerabilities in MS software. When Firefox or Chrome release updates, on the other hand, which usually include security fixes, they're called "new versions" so that's okay.
  • -1 Hide
    Deadfred , October 9, 2013 4:05 PM
    Two down, 545,788,433,543,554,879,778,104 to go.
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS