Microsoft released fixes for 23 security vulnerabilities today including critical patches for Internet Explorer and Windows.
The fixes are spread across eight security bulletins. Three of them – covering issues in Internet Explorer (IE), Exchange and Windows – are rated ‘Critical.’ The remaining five are classified as ‘Important.’
“For those who need to prioritize deployment, we recommend focusing on MS13-059 (Internet Explorer) and MS13-060 (Windows) first,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.
The IE update closes 11 security holes in the browser that so far are not known to have come under attack. Virtually all of the issues however could allow a hacker to remotely execute code if the user is tricked into viewing specially-crafted content. Among these is a vulnerability exploited by researchers earlier this year at the Pwn2Own competition at the CanSecWest security conference.
MS13-060 addresses a vulnerability in the Unicode Scripts Processor included in Windows that, if exploited, could allow remote code execution provided the user viewed a specially-crafted document or Webpage with an application that supports embedded OpenType fonts.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” according to Microsoft’s advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
The vulnerability only affects XP and Server 2003 installations, noted BeyondTrust CTO Marc Maiffret.
“Because this vulnerability lies within a shared component found in the operating system, used by third party applications, the attack vectors are far more widespread,” he said. “Any application that exposes the vulnerable portion of the Unicode Scripts Processor is susceptible to exploitation by attackers. The most likely attack vectors would be via a crafted document to be opened by an application, which would exploit the vulnerability and allow the attacker’s code to execute on the vulnerable system. Make sure to roll this patch out as soon as you can.”
The final critical bulletin is MS13-061, which resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. According to Microsoft, the vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).
“Two of the three vulnerabilities addressed in this bulletin, CVE-2013-2393 and CVE-2013-3776, exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature,” Microsoft notes in the advisory. “The vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited this vulnerability could run code on the affected Exchange Server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.”
The remaining bulletins address issues in Windows, including MS13-063, which closes another hole exposed at the CanSecWest conference (CVE-2013-2556).
