Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Vulnerability Attackers Used to Target IE Users

Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month’s Patch Tuesday update.

Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month’s Patch Tuesday update.

The flaw, CVE-2013-3918, is a remote code execution vulnerability the InformationCardSigninHelper ActiveX component used by Internet Explorer. The issue was already set to be fixed in MS13-090 before FireEye discovered it, explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.  

According to Microsoft, the attack in the wild is targeting IE 7 and IE 8 on Windows XP. The exploit being used by the attackers actually combines two distinct vulnerabilities. In addition to the remote code execution bug, there is also an information disclosure vulnerability used as well to improve the reliability of the exploit and to create ROP (return-oriented programming) payloads specifically targeted for the victim’s machine.  

“The information disclosure vulnerability does not allow remote code execution and so it has a lower security rating since it will be typically used in combination with other high-severity bug (like it happened with CVE-2013-3918) to improve effectiveness of exploitation,” blogged Elia Florio of Microsoft’s Security Response Center Engineering team. “Also, this vulnerability requires attackers to have prior knowledge of path and filenames present on targeted machines in order to be successfully exploited. This vulnerability was not used to bypass ASLR, but simply to remotely determine the exact version of a certain DLL on disk in order to build a more precise ROP payload.”

“We are still investigating the impact and root cause of the information disclosure vulnerability and we may follow up with additional information and mitigations as they become available,” Florio added.

According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog, which began in August and has targeted organizations in Japan. The attack’s payload is a variant of Hydraq/McRAT that FireEye is calling Trojan.APT.9002.

While Microsoft closed the door on this particular zero-day, today’s Patch Tuesday did not include a fix for an unrelated zero-day vulnerability affecting the Microsoft graphics component affecting certain versions of Windows, Office and Lync. The company did however release a total of eight security bulletins, including three rated ‘critical’. Those three include not only the ActiveX vulnerability mentioned above, but also critical vulnerabilities affecting the Windows Graphic Device Interface and Internet Explorer.

“Among the (IE) vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer,” explained BeyondTrust CTO Marc Maiffret. “These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.”

“The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1,” he added. “To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.”

The remaining bulletins address issues in Microsoft Office, Outlook and Windows.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.