Microsoft finally releases a much-needed patch for a zero-day threat to Internet Explorer.
If it weren’t for problems with .NET Framework and Windows kernel updates, October’s Patch Tuesday would be relatively uneventful.
Microsoft finally patches a zero-day threat
On Sept. 17, Microsoft released Security Advisory 2887505, which warned of an unpatched memory-corruption vulnerability in IE. As detailed in an Oct. 1 Threatpost blog, a relatively small number of attack campaigns have been launched against Asian sites. Security researchers thought that Microsoft might release an out-of-cycle fix, but instead the company released KB 2879017 on the usual Patch Tuesday schedule — about three weeks after the vulnerability was publicly announced.
As reported in the Sept. 19 Patch Watch update, Microsoft did post a temporary fixit with Security Advisory 2887505. If you installed the fixit, you don’t have to uninstall it before adding KB 2879017 — the official patch.
The update is rated critical for all supported desktop versions of Internet Explorer — including IE 11 in Windows 8.1. Along with the vulnerability reported in the Sept. 17 MS Security Advisory, the update covers nine related vulnerabilities, including one or more that were exclusive to Korean- and Japanese-language versions of Windows XP.
What to do: Install KB 2879017 (MS13-080) as soon as offered.
Adobe Flash and Acrobat housekeeping
Typically, we see Adobe Flash security updates on Patch Tuesday. But Release 11.9.900.117 includes only performance fixes, so there’s no reason to update immediately. When you do, get it from its Adobe download page. Some third-party sites have bogus Flash download links that are malicious. And watch out for the potentially unwanted application offers, such as Chrome, that are included with the Flash installer.