With US Thanksgiving around the corner Microsoft has released its monthly allotment of patches. This Patch Tuesday Microsoft has released 8 patches, addressing 19 individual vulnerabilities.


One important note is the November 5th  Microsoft Security Advisory (2896666) CVE-2013-3906 (http://technet.microsoft.com/en-us/security/advisory/2896666)  is not included in this Patch Tuesday. This unpatched remote code execution vulnerability specifically has to deal with how one of the Microsoft Graphics components within Microsoft Windows, Microsoft Office, and Microsoft Lync handles Tiff images.  The key to this attack is convincing a user to open an email message, open a file, or webpage which contains the image giving the adversary the same rights as the current logged in user. Currently McAfee has protection with Virus Scan Enterprise, Network Security Platform, and McAfee Vulnerability Manager. For more information about this threat please see http://blogs.mcafee.com/business/updates-and-mitigation-to-cve-2013-3906-zero-da y-threat.


   Of the eight patches released three patches are identified by Microsoft as “critical”.  The remainder patches are labeled “important” by Microsoft.  This month’s patches are as follows:

  • MS13-088 Cumulative Security Update for Internet Explorer (2888505)
  • MS13-089 Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331)
  • MS13-090 Cumulative Security Update of ActiveX Kill Bits (2900986)
  • MS13-091 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)
  • MS13-092 Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986)
  • MS13-093 Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783)
  • MS13-094 Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514)
  • MS13-095 Vulnerability in Digital Signatures Could Allow Denial of Service (2868626)


Looking over the patches I would like to highlight the following three critical patches:


MS13-090- our first highlighted patch is listed as critical, for Windows XP, Vista, 7, 8, 8.1, RT. For all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, this security update is rated Moderate. This privately reported vulnerability is currently being exploited by malicious content creators and is recommended to be patched ASAP.  The vulnerability could allow remote code execution if a user views a webpage with Internet Explorer, instantiating the ActiveX.  This patch should be the top priority of your patching cycle this month if you have these versions of Windows in your environment.

MS13-088- Is the second update I would like to highlight consisting of  patches for 10 critical  remote execution vulnerabilities  found in all currently supported versions of Internet Explorer including the latest, IE 11. The security update fixes eight memory corruption issues, along with two flaw that could allow information disclosure. As with most browser based attacks the, trajectory for this vulnerability would be a malicious webpage or possibly sent to the victim in a spear-phishing e-mail.   Though there no known use of these vulnerabilities, with the recent release of this patch it will be only a short time before an adversary uses this vulnerability. This patch should be the top priority of your patching cycle this month.

MS13-089- Is the second update I would like to highlight consisting of patches for vulnerabilities found in all version of supported Windows from XP to 2012 server and including the RT version for Windows for  tablets. The security update fixes vulnerability that could allow remote code execution if a user views or opens a malicious Windows Write file in the built in Windows application of WordPad. Once open in Word Pad the malicious picture file modifies the way that the Graphics Device Interface handles image files giving the attacker the same access as the current logged on user. While this vulnerability requires the barely used application WinWord to execute its malicious content, I would still recommend patching this as soon as possible.


Aggregate coverage (combining host and network-based countermeasure together) is 14 out of 19. McAfee Vulnerability manager has the ability to scan and detect all 19 vulnerabilities.   In particular, coverage for all of the three most critical (MS13-088),(MS13-90), and (MS13-089) related vulnerabilities are covered by the following McAfee endpoint security software and NSP (McAfee IPS):

  • BOP ( Buffer Overflow Protection ww/ VSE)
  • HIPS
  • NSP
  • App Control
  • MVM



  Additional research is being performed 24/7 by McAfee Labs, and coverage may improve as additional results come in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

Finally, in case you’re interested, these briefings are archived on the McAfee Community site and newly archived on the McAfee Community Site

Happy patching!