Microsoft has published an advance notification for vulnerabilities that will be patched in the January 2013 'Patch Tuesday' security bulletin due next week. However, anyone hoping for a permanent fix to deal with the Internet Explorer zero-day exploit that surfaced during the seasonal holiday period is going to be disappointed. There is no IE patch in this bunch, and while that might be a bit of a surprise to some given that IE security bulletins have become a very regular experience of late, the truth is that to expect a zero-day fix from Microsoft just a week or so after discovery is optimistic to say the least.

The zero-day vulnerability in question affects users of versions 6, 7, and 8 of Microsoft Internet Explorer and, courtesy of how IE accesses an object in memory that has been deleted or improperly allocated, can enable remote execution of code on target machines if the victim visits a malicious (or maliciously compromised) web site. The exploit is publicly available as a Metasploit module and in the wild. Although there will be no permanent patch from Microsoft next week, the software giant has already provided a one-click 'Fix-It' solution as a temporary measure while a proper patch is being developed. Of course, simply updating to either Internet Explorer 9 or 10 would also do the trick, as neither are listed as being vulnerable.

So what can we expect to see fixed as part of the forthcoming Patch Tuesday collection? Lamar Bailey, Director of Security Research and Development for nCircle, says "We’re starting 2013 with two critical code execution vulnerabilities in Windows. One affects Windows 7 and the other effects everything including Windows 8. Bulletin two affects a range of core components in Windows along with server software and developer tools. Given the scope of the software affected and the critical rating, this bulletin has the potential to give IT security teams a lot of heartburn next week.”

Meanwhile, Ziv Mador who is the Director of Security Research with the advanced security 'SpiderLabs' team at Trustwave warns that "If you were hoping for a nice relaxing Patch Tuesday after the holidays, well, sorry to disappoint you. Microsoft will be issuing seven new bulletins next week; two of them are rated as ‘Critical’. Both critical bulletins can result in the holy grail of remote code execution. The other five bulletins are all rated as ‘Important’. Of the two critical bulletins one of them lists all currently supported versions of Windows from XP SP3 up to Server 2008 R2 as well as several versions of Office, Sharepoint and Groove Server. This is most likely an issue in one of the base libraries meaning it will have a wide impact. The other critical bulletin only lists Windows 7 and Server 2008 as vulnerable but it still results in RCE so it shouldn’t be taken as any less serious. The five remaining ‘Important’ bulletins result mostly in Elevation of Privilege with one Security Feature Bypass and one Denial of Service. Six of them impact different versions of Windows and Windows Server with one Elevation of Privilege hitting Microsoft System Center Operations Manager. The MS SCOM is a cloud management platform allowing you to manage multiple hypervisors."

138 Views
About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to Forbes.com, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Do not use IE. USe google chrome, Firefox. IE is trouble

I use FireFox browser.

Member Avatar
Member 949455

The zero-day vulnerability in question affects users of versions 6, 7, and 8 of Microsoft Internet Explorer and, courtesy of how IE accesses an object in memory that has been deleted or improperly allocated, can enable remote execution of code on target machines if the victim visits a malicious (or maliciously compromised) web site.

Most Asian countries still used IE 6, 7, and 8.

I know a few people in Italy still used IE 6, 7, and 8.

I'm not sure with other European countries.

The reason why not the upgrade?

I think it has something to do with the OS they are using.

I'm not really sure about the OS but feel it has something to do with it unless someone has explanation.