Happy 10th b-day, Patch Tuesday: TWO critical IE 0-day bugs, did you say?

A decade on, Microsoft pushes out 8 bulletins – half of 'em critical bug squishes


Microsoft delivered no fewer than eight bulletins to mark the tenth anniversary of Patch Tuesday, including a fix covering two zero-day vulnerabilities in Internet Explorer.

A critical patch for all supported versions of IE covers a well-anticipated fix for the CVE-2013-3893 vulnerability, which has been associated with cyber espionage-style attacks against targets in Japan, Taiwan and elsewhere in Asia since late August.

Microsoft also released a bonus extra fix for another in-the-wild browser bug. The same MS13-080 bulletin also covers the CVE-2013-3897 vulnerability that has become the target of attacks over the last two weeks or so. FireEye was the first to discover a malware campaign (dubbed Operation DeputyDog) linked to the CVE-2013-3893 security bug, while Trustwave SpiderLabs is claiming the credit for fingering the CVE-2013-3897 flaw.

"MS13-080 also addresses CVE-2013-3897 in an interesting case that illustrates the concurrent discoveries of vulnerabilities," explains Wolfgang Kandek, CTO of cloud security firm Qualys, in a blog post.

"The vulnerability underlying CVE-2013-3897 was found internally at Microsoft and would have been fixed in MS13-080 as part of the normal security engineering and hardening that the product undergoes constantly. However, in the last two weeks, attacks against the same vulnerability became public – again, limited and targeted in scope – but since the fix was in the code already, it enabled Microsoft to address the vulnerability, CVE ID CVE-2013-3897, in record time."

Microsoft explains that the MS13-080 bulletin “fixes multiple security issues, including two critical vulnerabilities that haven't been actively exploited in limited targeted attacks.”

All versions of IE, from 6 to 11, need patching with updates that tackle 10 vulnerabilities in total.

The MS13-080 bulletin is by far the most important of the October batch but Redmond is also releasing three other critical fixes and four "important" security bulletins. The batch, which marks the tenth anniversary of Patch Tuesday, collectively grapples with 26 vulnerabilities.

The critical MS13-081 update addresses seven vulnerabilities in the Windows kernel, including problems in font handling, and can be triggered remotely through malicious web pages and maliciously formatted Office documents. Bugs in Microsoft's .NET Framework and finally a vulnerability in Windows Common Control Library (64 bit only) occupy the remaining two berths on the critical list.

The upshot is that everything from Windows XP up to and including Windows 8 and Windows RT will need patching to defend against security bugs that are more problematic for desktop systems.

Noteworthy "important" vulnerabilities MS13-085 and MS13-086, both cover remote code execution-type vulnerabilities in Microsoft Excel and Microsoft Word, respectively. Security watchers are more worried about the potential for mischief from these bugs than Microsoft itself.

The two other "important" updates cover lesser security bugs in Microsoft Silverlight 5 and Redmond's Sharepoint portal server software.

Microsoft's advisory and an easier to understand graphical overview from the SANS Institute's Internet Storm Centre provide more information.

Adobe – fresh from warning about a compromise on its website that might have exposed the IDs, password hashes, and encrypted credit card information of nearly three million customers – separately delivered a patch for its Acrobat and Reader software. Adobe also patched its RoboHelp software. ®


Other stories you might like

  • NASA installs a new and improved algorithm to better track near-Earth asteroids

    Nearly 20 year-old software used to protect humanity gets an upgrade

    NASA has upgraded its near-Earth asteroid monitoring algorithm to model hazardous space rocks more accurately after nearly two decades, it announced on Tuesday.

    The new system, dubbed Sentry-II, is more powerful than its predecessor, Sentry. Astronomers working at the space agency's Center for Near Earth Object Studies can now automatically calculate thermal influences that nudge an asteroid’s orbit, potentially sending it hurtling towards our home planet.

    The so-called Yarkovsky effect describes the subtle and gradual change of motion when asteroids are heated by the Sun’s light. When asteroids spin, one side of its surface exposed to the star gets heated. As it continues to rotate, the hot region enters shade and cools down. Infrared energy is radiated outwards; the photons carry momentum and impart a tiny thrust on the asteroid. Over long periods of time, these small kicks can change their paths and knock them out of their original orbit.

    Continue reading
  • Facebook slapped with an eyepopping $150B lawsuit for spreading hate speech against Rohingya refugees

    Lawsuit claims social media giant's algos helped Myanmar military crackdown on the Rohingya

    Meta was sued on Tuesday for a whopping $150 billion in a class-action lawsuit for allegedly amplifying hate speech and aiding the Myanmar military in the genocide of the Rohingya people.

    The case, led by an anonymous Rohingya refugee living in the US, accuses the entity formerly known as Facebook of inciting hatred and inflicting real harm on the predominantly Muslim group for years. Not only did the social media platform ignore hate speech posts, it's alleged that the service's algorithms actively promoted anti-Rohingya propaganda as hundreds of thousands of people fled from Myanmar to escape persecution.

    Facebook has already acknowledged its role in the campaign, which saw an estimated 25,000 people perish and 700,000 forced from the country. The lawsuit also comes after ex-employee and whistleblower Frances Haugen leaked internal documents demonstrating how its algorithms prioritized engagement over safety.

    Continue reading
  • Power management IC shortage holding cars, laptops, hostage

    Couple of cents-worth of kit causing big problems for the year to come

    The shortage of power management chips is worsening and holding back companies from building cars, PCs and items with batteries or an on-off switch, Trendforce said in a study this week.

    Power management ICs cost just a few cents, and are among cheap chips that include display driver and USB-C components that are in short supply. These chips are as important to PCs and other electronics as CPUs or memory.

    The demand for PMICs has gone through the roof with the emergence of electric cars and growing demand for PCs and consumer electronics during the past 20 plus months. Trendforce expects the prices will go up by 10 per cent to a six-year high of $0.23.

    Continue reading

Biting the hand that feeds IT © 1998–2021