Microsoft Patches Two Internet Explorer Zero-Day Flaws
Microsoft is repairing not just the zero-day vulnerability in Internet Explorer that has been under active exploitation for two weeks, but also a second IE bug.Microsoft released its monthly Patch Tuesday security update, including fixes for a pair of critical zero-day flaws in the Internet Explorer Web browser. IE, however, isn't the only critical area that Microsoft users need to be concerned about this month. "There will be one thought on IT teams' minds today: 'Where did this second IE zero-day come from and why haven't we heard about it?'" Tyler Reguly, technical manager of security research and development at Tripwire said. "The revelation of this extra little 'gift' in today's bulletin makes installing the IE patch as soon as possible even more critical than usual." Lamar Bailey, director of security research and development at Tripwire noted that the MS13-080 bulletins covers multiple Common Vulnerabilities and Exposures (CVEs) associated with IE and two of these, CVE-2013-3897 and CVE-2013-3893, pertain to issues that are being exploited in the wild. Among the flaws patched in the MS13-080 update for IE is the one identified as CVE 2013-3893. That particular flaw was first identified two weeks ago. Attacks against the vulnerability have been occurring in the wild ever since. Until today, Microsoft had only made a "Fix-It" update available for the flaw providing a limited "band-aid" approach to mitigating the associated risk. Microsoft has handled the CVE 2013-3893 situation professionally, Woflgang Kandek, CTO of security vendor Qualys, told eWEEK.