Microsoft: We erred in recent Patch Tuesday; Internet Explorer zero-day still unpatched


Microsoft has revealed that it messed up in its recent Patch Tuesday bulletin by including details about the Internet Explorer zero-day that shouldn’t have been there in the first place as the security updates didn’t have the fix for CVE-2013-3871.

Microsoft updated its Security Bulletin MS13-080 and stated that the Internet Explorer memory corruption vulnerability hasn’t been fixed and a patch will be released in one of the future updates.

“Bulletin revised to remove CVE-2013-3871 from the vulnerabilities addressed by this update”, notes Microsoft in the revisions section of the MS13-080 bulletin.

“Including this CVE in the original security bulletin text was a documentation error. CVE-2013-3871 is scheduled to be addressed in a future security update.”

The vulnerability in questions listed as CVE-2013-3871, is a critical security hole that affects all versions of Internet Explorer except version 11. If successfully exploited, the vulnerability will allow attacker to execute arbitrary code on a vulnerable system. The vulnerability is credited to Simon Zuckerbraun working with HP’s Zero Day Initiative.