Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches Vulnerability Attackers Used to Target IE Users

Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month’s Patch Tuesday update.

Microsoft swatted a recently-discovered, zero-day bug being used in a watering hole attack as part of this month’s Patch Tuesday update.

The flaw, CVE-2013-3918, is a remote code execution vulnerability the InformationCardSigninHelper ActiveX component used by Internet Explorer. The issue was already set to be fixed in MS13-090 before FireEye discovered it, explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.  

According to Microsoft, the attack in the wild is targeting IE 7 and IE 8 on Windows XP. The exploit being used by the attackers actually combines two distinct vulnerabilities. In addition to the remote code execution bug, there is also an information disclosure vulnerability used as well to improve the reliability of the exploit and to create ROP (return-oriented programming) payloads specifically targeted for the victim’s machine.  

“The information disclosure vulnerability does not allow remote code execution and so it has a lower security rating since it will be typically used in combination with other high-severity bug (like it happened with CVE-2013-3918) to improve effectiveness of exploitation,” blogged Elia Florio of Microsoft’s Security Response Center Engineering team. “Also, this vulnerability requires attackers to have prior knowledge of path and filenames present on targeted machines in order to be successfully exploited. This vulnerability was not used to bypass ASLR, but simply to remotely determine the exact version of a certain DLL on disk in order to build a more precise ROP payload.”

“We are still investigating the impact and root cause of the information disclosure vulnerability and we may follow up with additional information and mitigations as they become available,” Florio added.

According to FireEye, the attack has a link to the infrastructure used in Operation DeputyDog, which began in August and has targeted organizations in Japan. The attack’s payload is a variant of Hydraq/McRAT that FireEye is calling Trojan.APT.9002.

While Microsoft closed the door on this particular zero-day, today’s Patch Tuesday did not include a fix for an unrelated zero-day vulnerability affecting the Microsoft graphics component affecting certain versions of Windows, Office and Lync. The company did however release a total of eight security bulletins, including three rated ‘critical’. Those three include not only the ActiveX vulnerability mentioned above, but also critical vulnerabilities affecting the Windows Graphic Device Interface and Internet Explorer.

“Among the (IE) vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer,” explained BeyondTrust CTO Marc Maiffret. “These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.”

“The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1,” he added. “To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.”

The remaining bulletins address issues in Microsoft Office, Outlook and Windows.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.