Hang in there, Internet Explorer peeps: Gaping zero-day fix coming Tues

What a way to celebrate a DECADE of Patch Tuesday rollouts


Microsoft is preparing to close a wide-open security hole in Internet Explorer - a vulnerability state-backed spies are exploiting to mine organisations across Asia.

A update to fix the flaw is among four critical patches Redmond has lined up for the October edition of Patch Tuesday, due next week. Versions 6 through to 11 of the web browser are known to be vulnerable.

The use-after-free bug in Internet Explorer [CVE-2013-3893] allows attackers to execute arbitrary code on a victim's computer; a mark simply has to surf to a web page booby-trapped with JavaScript that triggers the flaw.

In fact, the bug itself is quite an interesting case study: modern Windows kernels attempt to randomise the layout of software in memory and mark the areas containing just data as non-executable, which in theory is supposed to make life extremely difficult for hackers.

But the web page, in this case, can coax IE into loading a Microsoft Office library that snubs address space layout randomisation (ASLR). This sits in a known region of memory, allowing the attack code to initially hop around the library and use instructions within it to grant itself permission to execute its payload of code.

The attack code is packed into JavaScript strings, which sit in memory that Internet Explorer's MSHTML component accidentally uses when it really shouldn't: it tries to call a function pointer, but by that fatal moment, this pointer instead refers to an attacker-controlled part of memory rather than the expected friendly function.

Exploited since August

The vulnerability first came to public attention late last month when targets in Japan were attacked by miscreants exploiting this programming gaffe. Security biz FireEye published an alert about the infiltration attempts on 23 September, and claimed that assaults using the same bug in Microsoft's browser software started around 23 August.

Redmond had realised there was a problem, though not its seriousness, days before FireEye sounded the alarm. Microsoft published technical details and workarounds to defend against the flaw on 17 September.

Security researchers have since linked the same CVE-2013-3893 bug to multiple attacks by various state-sponsored hacking crews against targets in Taiwan and elsewhere in the Far East. In this context the patch for Internet Explorer versions 6 to 11, due to arrive next Tuesday, can't come a day too soon.

October 2013 marks the tenth anniversary of Microsoft’s regular security patch rollouts, Patch Tuesday. Alongside the critical IE update, the world'll get three similarly critical security fixes for Windows that affect the vast majority of deployed platforms except Windows Server 2012 R2 and Windows RT 8.1. Everything from Windows XP up to and including Windows 8 and Windows RT will need patching.

Redmond's security gnomes are also fuelling up four lower severity security bulletins, all rated as "important". Microsoft Office, Microsoft Silverlight 5 and Redmond's Sharepoint portal server software will all need patching as a result of security fixes due to arrive on 8 October.

More details will be released once the updates are deployed next week. In the meantime, Microsoft's pre-release notice provides more details of the affected software packages.

Wolfgang Kandek, CTO of Qualys, commented: "The recent [Internet Explorer] 0-day ... is certainly the top-priority patch for next week and it affects all versions of Internet Explorer from 6 to 11. Fortunately, attack volume using this vulnerability has continued to be low and this has given Microsoft the opportunity to do a full test cycle on all possible combinations of operating systems and target sites."

Adobe - fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers - separately announced plans to deliver a solitary patch for Acrobat 11.0.4 and PDF Reader 11.0.4 on Windows. More details can be found in Adobe's advisory here. ®


Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022