Microsoft plans to address zero-day IE bug on Tuesday

Vulnerability allowed a "drive-by attack" of malware installation when computers visited a malicious Web site.

Steven Musil Night Editor / News

Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.

Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.

See full bio

Steven Musil

Nov. 11, 2013 4:14 p.m. PT

Microsoft plans to issue a security update on Tuesday that addresses an Internet Explorer ActiveX Control vulnerability that allowed malware to be installed on computers when users visited at least one breached Web site.

Microsoft said Monday that vulnerability CVE-2013-3918, which was disclosed Friday by security researcher FireEye, was already scheduled to be addressed in "Bulletin 3" on Tuesday. An exploit described by the security firm as a classic drive-by attack is already in the wild, targeting English versions of IE7 and 8 in Windows XP and IE8 on Windows 7.

FireEye said its analysis of the exploit found that it was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly "into a strategically important Web site, known to draw visitors that are likely interested in national and international security policy." Further distinguishing itself from other exploits was that it delivered its payload without first writing to disk.

While the exploit's scope seemed pretty narrow, security researchers wrote that their analysis indicated that IE7, 8, 9, and 10 could be at risk after a simple modification to the exploit code.

Microsoft said Monday it was in the process of finalizing the update but that upgrade would be issued around 10 a.m. PT Tuesday via Windows Update.