Microsoft is planning to release a fix for an Internet Explorer zero-day bug being targeted in the wild this coming Patch Tuesday.
The vulnerability, which is being exploited against users of IE8, has been spotted being used in an attack campaign against numerous Websites, including the U.S. Department of Labor site. Users of Internet Explorer 6, 7, 9 and 10 are not affected.
Described as a remote code execution vulnerability, the flaw exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated. Microsoft already issued a FixIt tool this week to offer users some protection while a patch is being prepared.
“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website,” according to Microsoft. “The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability.
“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content,” Microsoft noted. “Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.”
The patch for the vulnerability is expected to be ready May 14, making it one of 34 issues slated to be fixed. There will be 10 security bulletins released as part of the update, including eight rated “Important” and two rated “Critical.”
Both the critical bulletins address issues in Internet Explorer. The remaining bulletins cover vulnerabilities in Windows, Microsoft Lync, Microsoft Office and Microsoft Windows Essentials.
“May is going to a busy month for administrators, with 10 patches and a number of restarts required,” said Alex Horan, senior product manager at CORE Security. “Reboots are always dreaded by admins, not only because they have a negative effect on uptime, but also [because they] raise the possibility of potential hardware failure upon restarting the machine.
“Bulletin 4 is targeting almost all Windows operating systems, and I would anticipate folks digging much deeper into this,” he added. “With Bulletin 9 targeting Windows Essentials, it puts the home users, who are notoriously slow to patch, at risk of a mass exploitation for recruitment to a botnet. Overall though, Bulletin 10 is the one I would want in my tool belt, with a privilege escalation across a wide range of Windows operating systems.”
Microsoft is not the only one releasing patches on Tuesday. Adobe Systems also plans to release a patch that day for a critical vulnerability affecting ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and Unix. The vulnerability (CVE-2013-3336) could permit an unauthorized user to remotely retrieve files stored on the server, according to Adobe.
“There are reports that an exploit for this vulnerability is publicly available,” Adobe warned. “ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue.”