Headline
ActiveX Control issue being addressed in Update Tuesday
Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT.
Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT. Customers who have Automatic Updates enabled will not need to take any action to receive the update.
While we are in the process of finalizing the security update to address this issue, we encourage Internet Explorer customers concerned with this vulnerability to follow the following mitigations:
- Set Internet and local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones This action will help prevent exploitation but may affect usability ; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
- Configure Internet Explorer to prompt before running Active Scripting or disable Active Scripting in the Internet and local intranet security zones This action will help prevent exploitation but can affect usability , so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
- Deploy the Enhanced Mitigation Experience Toolkit (EMET) This will help prevent exploitation by providing mitigations to help protect against this issue and should not affect usability of websites.
As a best practice, we always encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. We also encourage customers to exercise caution when visiting websites and avoid clicking suspicious links or opening email messages from unfamiliar senders. Additional information can be found at www.microsoft.com/protect.
We will continue to monitor the threat landscape very closely and take appropriate action to help protect our customers.
Thank you,
Dustin Childs
Group Manager, Response Communications
Trustworthy Computing
Related news
Over the weekend we became aware of an active attack relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm one more time that the code execution vulnerability will be fixed in today’s UpdateTuesday release and to clarify some details about the second vulnerability reported.
Today we released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-090(ActiveX killbit) Victim browses to a malicious webpage.