Microsoft's latest round of Patch Tuesday monthly security updates is even more serious than expected, with a previously undisclosed critical vulnerability in Internet Explorer being patched along with a known critical exploit.
"The biggest surprise from this month's advisories is that Microsoft has addressed not one, but two, critical Internet Explorer zero-days," said Craig Young, security researcher at Portland, Ore., vulnerability-management provider Tripwire. "These fixes should be the highest priority for patch deployment, since both of these issues are being exploited in the wild."
Users of all versions of Microsoft Windows should avoid using Internet Explorer until the patches are installed and the PCs rebooted, as both vulnerabilities allow attackers to infect browsers that merely click on corrupted pages for an instant.
In its official security bulletin for October, Microsoft said it was "aware of targeted attacks" that tried to exploit the second IE vulnerability. It's a safe bet that many more attacks will arise over the next few days as malware writers reverse-engineer the patch.
Limited exposure for limited user accounts
Users who do all their Web browsing and emailing from "limited" user accounts that can't install or delete software will have some protection, as both Internet Explorer exploits can only gain system privileges matching those of the infected user.
"An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user," Microsoft's bulletin stated. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
However, other flaws in Windows addressed in the patches pushed out yesterday (Oct. 8) can escalate privileges beyond those of the infected user, giving the attacker full administrative rights over the PC.
"The most severe of these vulnerabilities could allow remote code execution if a user views shared content that embeds OpenType or TrueType font files," the security bulletin said. "An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."
Two other critical vulnerabilities being patched involved Microsoft's .NET Framework and ASP software, both of which could be used to attack Web browsers running on Windows.
Lesser patches, deemed merely "Important" in Microsoft's classification system, included fixes for vulnerabilities in Microsoft Excel, Office and Word, including Microsoft Office for Mac 2011.
To be fully protected as quickly as possible, users should go into Windows' Control Panel and set Windows Update to automatically install Microsoft patches.
“We released October's Security Bulletins, including MS13-080, to help protect customers using Internet Explorer," said Dustin Childs, group manager at Microsoft Trustworthy Computing. "The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically."
Unpatched government PCs may become sitting ducks
However, that may not protect U.S. government employees whose offices are closed during the ongoing federal shutdown.
"While most of the government security staff was deemed essential, it is likely that many of the employee PCs and laptops were turned off, so it will be hard to patch them," John Pescatore, director of emerging technologies at the SANS Institute in Bethesda, Md., told Computerworld.
When those workers do get back to their desks and boot up their machines, it will take a day or two for the updates to be fully installed, providing a window of opportunity for attackers targeting U.S. government workers.
Adobe Systems, which has synchronized its patch schedule with Microsoft's, pushed out fixes for Acrobat XI and Reader XI for Windows. Previous versions of either product, as well as all those for Macs, are not affected.