Welcome to another round of patches released by Microsoft. This is probably one of the most important Patch Tuesdays we have seen in a while with Microsoft releasing seven patches that address 34 individual vulnerabilities. Of the seven patches released, six are identified by Microsoft as “critical". The remaining patch is labeled “important” by Microsoft. This month’s patches are as follows:
- MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
- MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
- MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
- MS13-055 Cumulative Security Update for Internet Explorer (2846071)
- MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
- MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)
- MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)
Looking over the patches I would like to highlight the following three:
This update consists of patches for eight critical vulnerabilities found in all currently supported desktop, tablet, and server versions of Windows. The security update addresses these vulnerabilities by correcting the way Windows handles specially crafted TrueType Font (TTF) files and by correcting the way that Windows handles objects in memory. At this time, Microsoft claims CVE-2013-3172 and CVE-2013-3660 have been publicly disclosed while the other six were privately reported. There is no doubt that this is the most important patch of the month in Microsoft’s listing.
The second highlighted patch is also critical not only for all currently supported Microsoft OSes running .NET but also for Macs and PCs running MS Silverlight. The vulnerability found in MS Silverlight is extremely critical to subscribers of on-demand video services (Netflix) that use Silverlight on both Windows and Mac OSes. The vulnerability (CVE-2013-3129) is an issue with font parsing that affects font implementations in both of these programs, which, due to architectural reasons, are separate from the Windows and Mac OSes.
The final highlighted bulletin addresses 17 privately reported vulnerabilities for Internet Explorer (IE) that affects current supported versions of IE 6 to IE10. I believe this bulletin should be highlighted because the patch fixes multiple vulnerabilities that can result in remote code execution from a web browser (browse and own). Though these 17 vulnerabilities have not yet been exploited, it would be easy for an adversary to setup a malicious web page to take advantage of this vulnerability
A look at McAfee’s coverage for this month’s vulnerabilities:
• McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 18 out of 34 vulnerabilities this month.
• McAfee Host Intrusion Prevention is expected to provide protection against exploits of 19 out of 34 vulnerabilities this month.
• McAfee Application Control is expected to provide protection against exploits of 21 out of 34 vulnerabilities this month.
• McAfee's Network Security Platform has new signatures confirmed to protect exploits of 9 out of 34 vulnerabilities this month.
• McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Aggregate coverage (combining host- and network-based countermeasure together) is 22 out of 34. Additional research is being performed by McAfee Labs and coverage may improve as supplemental results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
Finally, in case you’re interested, these briefings are archived on the McAfee Community site.