As the weather starts cooling down and the leaves begin to change in the Northern Hemisphere, Microsoft celebrates its 10th anniversary of releasing patches on Tuesdays. This Patch Tuesday, Microsoft has released 8 patches that address 26 individual vulnerabilities. Of the 8 patches released, 4 are identified by Microsoft as “critical”. The remaining patches are labeled “important” by Microsoft. This month’s patches are as follows:
- MS13-080 Cumulative Security Update for Internet Explorer (2879017)
- MS13-081 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
- MS13-082 Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
- MS13-083 Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)
- MS13-084 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)
- MS13-085 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
- MS13-086 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
- MS13-087 Vulnerability in Silverlight Could Allow Information Disclosure (2890788)
Looking over the patches, we would like to highlight the following three critical updates:
The first update we would like to highlight consists of patches for 10 vulnerabilities in Internet Explorer. This bulletin is our most important this month because it includes CVE-2013-3893, a publicly disclosed vulnerability. Microsoft acknowledged in September that this particular vulnerability was used in a zero-day attack in Asia and is currently available to the public in Metasploit. The current CVE-2013-3893 exploits will not work on all versions of IE, but this one will even if DEP (data execution prevention) and ASLR (address space layout randomization) are in enabled. It should be assumed that a highly determined adversary could figure out a way to use this vulnerability against any version of Internet Explorer and all versions should be patched. All of these vulnerabilities could allow remote code execution if a user views a specially designed webpage using Internet Explorer. An adversary who successfully exploited these vulnerabilities could gain the same rights as the current user running Internet Explorer. This patch should be the top priority of your patching cycle this month.
The second update we would like to highlight consists of patches for 7 critical vulnerabilities found in all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. The security update fixes the most severe vulnerability, which could allow remote code execution if a user views a malicious webpage with specially designed OpenType fonts. Currently, there are no known exploits, but this patch should be applied as soon as possible, as we have seen font type vulnerabilities abused before. This patch should be the second priority of your patching cycle this month.
The third and final highlighted patch is also listed as critical for all Windows systems. This patch addresses a flaw in the widely used “comctl32” library. The vulnerability could allow remote code execution if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. The most likely attack vector for this vulnerability is via MSCOMCTL within an Office document.
Aggregate coverage (combining host and network-based countermeasure together) is 18 out of 26. In particular, coverage for the most critical IE (MS13-080) is covered by the following McAfee endpoint security software and NSP (McAfee IPS):
- BOP ( Buffer Overflow Protection w/ VSE)
- App Control
Additional research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
Finally, in case you’re interested, these briefings are archived on the McAfee Community site (updates prior to June 2013 are available here)