Long-time Windows users know to be on the lookout for security updates from Microsoft the second Tuesday of every month. However, this month’s payload of patches includes a fix for an Internet Explorer (IE) zero-day vulnerability being exploited in the wild.
Zero-Day?
A zero-day flaw is one that’s already being exploited in the wild the day it’s discovered.
In this particular case, the discovery of the flaw in Microsoft’s Internet Explorer was made on November 8th when security researchers noted malicious software taking advantage of a previously unknown “hole” in Windows default web browser.
What’s the Problem?
What makes this particular exploit dangerous is that it can attack your Windows computer using something known as a “drive-by” attack. In other words, a trusted website is compromised and, when visited by a vulnerable computer, code is executed remotely to install malicious software on your computer.
According to a blog post made by Microsoft’s Security Research & Defense team, they have “analyzed samples from the active attack that are targeting only older Internet Explorer versions running on Windows XP (IE7 and 8) because of the lack of additional security mitigations on those platforms (Windows 7 is affected but not under active attack). EMET was able to proactively mitigate this exploit.”
However, that does not mean IE 9 or higher are invulnerable. It just means they’ve not been attacked yet.
What Can You Do?
The good news is that as of Noon today, Microsoft has already patched the flaw in their web browser so all you need to do is install the patch!
For computers with Automatic Updates turned on, the patch should be installed and applied automatically without intervention, but due to the severity of this particular flaw in Internet Explorer, ESC! Technologies Group recommends that you manually check for and apply updates to your Windows-running computers using its Windows Update feature (aka Microsoft Update).
For Further Reading
New IE Zero-Day Found in Watering Hole Attack
Technical details of the targeted attack using IE vulnerability CVE-2013-3918
Cumulative Security Update of ActiveX Kill Bits (MS13-090)
How To Enable Automatic Updates in Windows