As we close out the final weeks of summer, Microsoft has released another group of patches. This Patch Tuesday, Microsoft has released 8 patches, addressing 23 individual vulnerabilities. Of the eight patches released, three are identified by Microsoft as “critical.” The remaining patches are labeled “important” by Microsoft.
This month’s patches are as follows:
- MS13-059 Cumulative Security Update for Internet Explorer (2862772)
- MS13-060 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)
- MS13-061 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)
- MS13-062 Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470)
- MS13-063 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537)
- MS13-064 Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)
- MS13-065 Vulnerability in ICMPv6 Could Allow Denial of Service (2868623)
- MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)
Looking over the list, I would like to highlight the following three critical patches:
MS13-059 is the first update I would like to highlight. It consists of patches for 11 critical vulnerabilities found in all currently supported versions of Internet Explorer including IE 11 Beta. The security update fixes multiple remote code execution vulnerabilities that exist when Internet Explorer improperly accesses an object in memory. As with most browser-based attacks, the trajectory for this vulnerability would be a malicious webpage or spear-phishing e-mail. Though there are no known uses of these vulnerabilities, with the recent release of this patch it will be only a short time before an adversary tries these tactics. This patch should be the top priority of your patching cycle this month.
MS13-060 is our second highlighted patch. It is also listed as critical, but only to Windows XP and Server 2003 systems which have the Bangali font installed. This font can be found in systems on which the Indic language pack is installed. Despite its narrow scope, older Windows system with this font could potentially allow remote code execution by exploiting a flaw in the Windows Unicode Scripts Processor. A successfully exploited system with this vulnerability could run malicious code as the current user. It is also worth mentioning that when Windows XP goes end of life next spring (April 2014), those who are still managing systems with XP should have a migration plan to move users off this outdated system. (my edit is to the right of the / I think based on the rest of the paper, you should just be straightforward & serious)
MS13-061 is our final critical vulnerability. This addresses 3 publicly reported vulnerabilities for Microsoft Exchange 2007 and 2010 that have been caused by the third-party library “Outside In,” which was developed by Oracle. Oracle has since released fixes and Microsoft has integrated these fixes into this patch. This vulnerability works by allowing a remote code execution as the LocalService account if a user views a malicious file through Outlook Web Access (OWA) in a web browser. If users are using OWA, it is recommended to patch this as soon as possible. In addition, it is highly advised that you look into turning off document processing using Outside In to minimize the attack surface of your Exchange servers.
MS13-065 makes this list as an honorable mention. While listed as only important by Microsoft, attention should be called to the Ping-of-Death vulnerability. For those using IPv6, a denial of service vulnerability exists in the Windows TCP/IP stack that could cause the target system to stop responding until restarted. If you are not using IPv6 yet, I recommend turning this off on workstations and servers.
Aggregate coverage (combining host and network-based countermeasure together) is 12 out of 23. In particular, coverage for two of the three most critical IE (MS13-059) and Windows font (MS13-060) related vulnerabilities are covered by the following McAfee endpoint security software and NSP (McAfee IPS):
- BOP ( Buffer Overflow Protection with VSE)
- App Control
Additional research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
Finally, in case you’re interested, these briefings are archived on the McAfee Community site.