During this month’s Patch Tuesday, Microsoft patched two vulnerabilities in Internet Explorer and Windows that were actively attacked before an update was available. Last month, antivirus vendor Qihoo 360 warned for the critical vulnerability in Internet Explorer that was attacked through Microsoft Word documents.
Simply opening a malicious Word document or visiting a malicious or hacked website with a vulnerable system was sufficient for attackers to execute random code on the system. Also Russian antivirus vendor Kaspersky Lab reported the issue to Microsoft.
“We expect this vulnerability to become one of the most exploited in the near future, as it won’t be long until exploit kit authors start abusing it in both drive-by (via browser) and spear-phishing (via document) campaigns,” Kaspersky Lab writes on its website.
The second vulnerability, that was actively attacked before a patch was available, was discovered by antivirus company ESET and allowed an attacker with access to the system to run code with kernel privileges. Because the system has to be compromised first, the vulnerability is classified by Microsoft as ‘important’.
Two other vulnerabilities in the Windows kernel, that allowed an attacker to elevate privileges and that disclosed information about the system, were already disclosed publicly but were not actively attacked, according to Microsoft.
Of the 67 vulnerabilities that Microsoft patched this month, 12 were marked as critical, 42 were marked as important and 4 were marked as low. The list includes vulnerabilities in Microsoft Office, ChakraCore, .NET framework and Exchange server.
On most systems the updates are automatically downloaded and installed.