Vulnerability allowed a "drive-by attack" of malware installation when computers visited a malicious Web site. November 11, 2013 4:14 PM PST Microsoft plans to issue a security update on Tuesday that addresses an Internet Explorer ActiveX Control vulnerability that allowed malware to be installed on computers when they visited at least one breached Web site. Microsoft said Monday that vulnerability CVE-2013-3918, which was disclosed Friday by security researcher FireEye, was already scheduled to be addressed in "Bulletin 3" on Tuesday. An exploit described by the security firm as a classic drive-by attack is already in the wild, targeting English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7. Related stories New zero-day bug targets IE users in drive-by attack ExploitShield becomes Malwarebytes Anti-Exploit Google push for faster zero day fixes hits a wall: Other companies FireEye said its analysis of the exploit found that it was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly "into a strategically important website, known to draw visitors that are likely interested in national and international security policy." Further distinguishing itself from other exploits was that it delivered its payload without first writing to disk. While the exploit's scope seemed pretty narrow, security researchers wrote that their analysis indicated that IE 7, 8, 9, and 10 could be at risk after a simple modification to the exploit code. Microsoft said Monday it was currently in the process of finalizing the update but that update would be issued around 10 a.m. PT Tuesday via Windows Update.
Vulnerability allowed a "drive-by attack" of malware installation when computers visited a malicious Web site.
Microsoft plans to issue a security update on Tuesday that addresses an Internet Explorer ActiveX Control vulnerability that allowed malware to be installed on computers when they visited at least one breached Web site.
Microsoft said Monday that vulnerability CVE-2013-3918, which was disclosed Friday by security researcher FireEye, was already scheduled to be addressed in "Bulletin 3" on Tuesday. An exploit described by the security firm as a classic drive-by attack is already in the wild, targeting English versions of IE 7 and 8 in Windows XP and IE 8 on Windows 7.
Related stories
- New zero-day bug targets IE users in drive-by attack
- ExploitShield becomes Malwarebytes Anti-Exploit
- Google push for faster zero day fixes hits a wall: Other companies
FireEye said its analysis of the exploit found that it was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly "into a strategically important website, known to draw visitors that are likely interested in national and international security policy." Further distinguishing itself from other exploits was that it delivered its payload without first writing to disk.
While the exploit's scope seemed pretty narrow, security researchers wrote that their analysis indicated that IE 7, 8, 9, and 10 could be at risk after a simple modification to the exploit code.
Microsoft said Monday it was currently in the process of finalizing the update but that update would be issued around 10 a.m. PT Tuesday via Windows Update.
