Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Closes 34 Security Holes in Patch Tuesday Update

Microsoft released fixes for 34 security vulnerabilities today in a series of Patch Tuesday updates for Windows, Internet Explorer and other products.

Six of the seven bulletins this month are rated ‘Critical’, while the remaining bulletin is considered ‘Important.’

Microsoft released fixes for 34 security vulnerabilities today in a series of Patch Tuesday updates for Windows, Internet Explorer and other products.

Six of the seven bulletins this month are rated ‘Critical’, while the remaining bulletin is considered ‘Important.’

“The thing that jumps out this month is the repeated mention of a CVE-2013-3129 in three bulletins,” said Tyler Reguly, technical manager of security research and development at Tripwire. “This is important to note – everyone should ensure they are fully patched against this vulnerability.”

CVE-2013-3129 is a remote code execution vulnerability that exists in the way certain Windows components handle TrueType font files. It is mentioned in bulletins MS13-052, MS13-053 and MS13-054 and affects several different software packages, including Office, Visual Studio and Silverlight.

“Our recommendation is to start the patching process with MS13-053, a bulletin for Windows that applies to all versions of the OS,” blogged Wolfgang Kandek, CTO of Qualys. “It includes a fix for two high value vulnerabilities: first, CVE-2013-3129, the previously mentioned problem with Windows font parsing. The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker.”

The second high-value bug is CVE-2013-3660, a Windows zero-day that was detailed on the Full Disclosure mailing list, Kandek blogged. According to Microsoft, in most scenarios, an attacker who successfully exploited this vulnerability could escalate privileges on the targeted system, but it is also theoretically possible for an attacker to achieve remote code execution. This is unlikely due to memory randomization, Microsoft states.

One other bulletin sure to be high on administrators’ priority lists is MS13-055, which deals with 17 vulnerabilities in Internet Explorer. The other critical bulletins impact .NET Framework, Silverlight and GDI+. The sole bulletin rated ‘important’ concerns a privately reported issue in Windows Defender for Windows 7 and Windows Defender installed on Windows Server 2008 R2 that could allow an attacker to elevate privilege.

“This month’s Patch Tuesday is the polar opposite of last month’s ho-hum, here-we-go-again-with-the-patches exercise,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are seven advisories, six of which are critical issues allowing remote code execution. Basically everything in the core Microsoft world is affected by one or more of these; every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET.  It’s going to be a busy time for security teams everywhere.”

But it won’t just be busy because of Microsoft. Adobe Systems also released patches today for Flash Player, ColdFusion and Shockwave Player. Adobe said it is not aware of any of the vulnerabilities being actively exploited in the wild. Several of the bugs however are considered critical, so Adobe recommends users upgrade to the latest versions as soon as possible.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.