Microsoft plans to issue a security update on Tuesday that addresses an Internet Explorer ActiveX Control vulnerability that allowed malware to be installed on computers when users visited at least one breached Web site.
Microsoft said Monday that vulnerability CVE-2013-3918, which was disclosed Friday by security researcher FireEye, was already scheduled to be addressed in "Bulletin 3" on Tuesday. An exploit described by the security firm as a classic drive-by attack is already in the wild, targeting English versions of IE7 and 8 in Windows XP and IE8 on Windows 7.
FireEye said its analysis of the exploit found that it was part of an advanced persistent threat (APT) in which attackers inserted the exploit code directly "into a strategically important Web site, known to draw visitors that are likely interested in national and international security policy." Further distinguishing itself from other exploits was that it delivered its payload without first writing to disk.
While the exploit's scope seemed pretty narrow, security researchers wrote that their analysis indicated that IE7, 8, 9, and 10 could be at risk after a simple modification to the exploit code.
Microsoft said Monday it was in the process of finalizing the update but that upgrade would be issued around 10 a.m. PT Tuesday via Windows Update.