Today for Patch Tuesday, Microsoft and Adobe are both coming out with critical fixes for a number of widely installed and attacked programs. Microsoft has 10 bulletins addressing a total of 33 vulnerabilities, and Adobe is releasing new versions of Adobe Reader, Adobe Flash and Coldfusion.
It is the week before Patch Tuesday May and Microsoft has published its Advance Notification, giving us insight into what to expect next Tuesday.
There will be 10 bulletins this month, covering all versions of Internet Explorer (IE), Microsoft Office and Windows. The fixes for IE include the patch for the current 0-day vulnerability. A total of five bulletins allow for remote code execution (RCE) and should be the focus points for your patching next week.
Microsoft is currently dealing with an exploit (KB2847140) for a 0-day vulnerability in Internet Explorer (IE). Machines attacked by this exploit will yield full control to the attacker and allow him to install more advanced malware such as the well known RAT Poison Ivy. The exploit was first discovered last Wednesday on a website of the Department of Labor specialized in nuclear technology. It has since spread to other websites and is now also available in Metasploit. The exploit works only against IE version 8 (IE8), which limits the exposure to about 42% of all systems, according to last count from our BrowserCheck service.
IE8 is the latest version available on Windows XP, and was also the original version installed on Windows 7. This explains the rather high numbers that we are seeing for this older browser. Windows 7 users have access to IE9, which is not affected by this attack and has a much better security architecture. Upgrading to IE9 is a straightforward way to defend against the attack.
Microsoft published Fix-it 50992 which their Appcompat shim technology to neutralize the vulnerability. The Fix-it can be accessed at KB2847140
A Metasploit module has been made available for the 0-day vulnerability, which will makes it easier to convince IT managment of the robustness and applicability of the exploit.
Yesterday Microsoft published security advisory KB2847140 about an exploit for 0-day vulnerability (CVE-2013-1347) in Internet Explorer 8. The exploit is in active use in the wild, for example on the compromised website at the US Department of Labor earlier this week, Initially it was widely reported that the website was exploiting a known vulnerability in Internet Explorer to then install the remote access tool Poison Ivy.
Update 2 (March 4): Oracle released a new version of Java – v7 update 17 – addressing 2 vulnerabilities, CVE-2013-1493 and CVE-2013-0809. Both had been scheduled to be included in next months scheduld update on April 16, but were anticipated due to the attacks in the wild. Patch as soon as possible.
Update (March 4): Oracle assigned CVE-2013-1493 to the vulnerability reported by FireEye. Some more details can be found in this CVRF formatted document which also lists CVE-2013-0809.
Original: Yesterday Fireeye published an analysis on what looks like another exploit against a vulnerability in the latest version of Java. Java 7 update 15 was released just two weeks ago, but we have already heard from security researchers that have found flaws in the software, plus now this latest news of exploits in the wild.
These attacks are all against Java on the desktop and use the browser as an attack vector. Our recommendation is to uninstall Java from the desktop if possible, otherwise disconnect Java from the browser, which recent versions of Java have made much easier. If neither of these options work look at a whitelisting solution for Java. Through it Zone mechanism Internet Explorer enables you to disable Java in the Internet Zone, but to leave it enabled in the Trusted Sites zone, which then needs to contain the sites that you need to run Java on (GotoMeeting, internal sites, etc).
We wil keep you updated as the information on this latest exploit becomes more precise.