MS13-090 will address Zero-Day delivering diskless malware

Microsoft has promised a patch for the Zero-Day flaw in Internet Explorer disclosed by researchers at FireEye last Friday.

On Monday, Microsoft promised a patch for the Zero-Day flaw in Internet Explorer disclosed by researchers at FireEye last Friday, which is being used to deliver diskless malware.

As it turns out, FireEye disclosed a rare vulnerability in Internet Explorer. Rare as in Microsoft already knew about it, and was planning to patch it.

However, because Microsoft keeps the exact details of a pending patch secret until the last minute, it's unknown if FireEye was aware of a pending patch when they disclosed the issue.

FireEye researchers said on Sunday that the attack disclosed Friday uses a Zero-Day vulnerability in Internet Explorer, but noted that this one is completely unrelated to the vulnerability confirmed by Microsoft that's targeting TIFF files.

This newly discovered flaw "has been used in a strategic Web compromise," FireEye said, adding that the compromised domain is "known to draw visitors that are likely interested in national and international security policy."

Furthermore, the attackers loaded the payload used in this attack directly into memory without first writing to disk - a technique not typically used by advanced persistent threat (APT) actors. This technique will further complicate network defenders’ ability to triage compromised systems, using traditional forensics methods.

In a blog post, Microsoft's Dustin Childs said that the flaw referenced by FireEye was previously known, and was already slated for a patch. Something of a rarity, Childs then went on to inform readers that MS13-090 will be the security update that contains the patch for FireEye's discovery, also listed as CVE-2013-3918.

Again, MS13-090 does not patch the TIFF related issue disclosed by Microsoft last week. The latest information from Redmond says that a fix isn't going to be ready in time. As a reminder, Microsoft Office 2003 and 2007 are affected directly. Microsoft has confirmed attacks in the Middle East and South Asia.

However, Office 2010 is impacted too, but only if it's running on Windows XP or Server 2003. Likewise, Windows Vista SP 2, Server 2008, and Microsoft Lync, are also valid attack surfaces.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.