Microsoft plans to address zero-day IE bug on Tuesday

Vulnerability allowed a "drive-by attack" of malware installation when computers visited a malicious Web site.

Microsoft plans to issue a security update on Tuesday that addresses an Internet Explorer ActiveX Control vulnerability that allowed malware to be installed on computers when users visited at least one breached Web site.

Microsoft said Monday that vulnerability CVE-2013-3918, which was disclosed Friday by security researcher FireEye, was already scheduled to be addressed in "Bulletin 3" on Tuesday. An exploit described by the security firm as a classic drive-by attack is already in the wild , targeting English versions of IE7 and 8 in Windows XP and IE8 on Windows 7.

FireEye said its analysis of the exploit found that it was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly "into a strategically important Web site, known to draw visitors that are likely interested in national and international security policy." Further distinguishing itself from other exploits was that it delivered its payload without first writing to disk.

While the exploit's scope seemed pretty narrow, security researchers wrote that their analysis indicated that IE7, 8, 9, and 10 could be at risk after a simple modification to the exploit code.

Microsoft said Monday it was in the process of finalizing the update but that upgrade would be issued around 10 a.m. PT Tuesday via Windows Update.

About the author

Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers.


Discuss Microsoft plans to address zero-day IE bug...

Conversation powered by Livefyre

This week on CNET News
Hot Products
Trending on CNET

CNET Forums

Looking for tech help?

Whether you’re looking for dependable tech advice or offering helpful tricks, join the conversation in our forums.