Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Closes 34 Security Holes in Patch Tuesday Update

Microsoft released fixes for 34 security vulnerabilities today in a series of Patch Tuesday updates for Windows, Internet Explorer and other products.

Six of the seven bulletins this month are rated ‘Critical’, while the remaining bulletin is considered ‘Important.’

Microsoft released fixes for 34 security vulnerabilities today in a series of Patch Tuesday updates for Windows, Internet Explorer and other products.

Six of the seven bulletins this month are rated ‘Critical’, while the remaining bulletin is considered ‘Important.’

“The thing that jumps out this month is the repeated mention of a CVE-2013-3129 in three bulletins,” said Tyler Reguly, technical manager of security research and development at Tripwire. “This is important to note – everyone should ensure they are fully patched against this vulnerability.”

CVE-2013-3129 is a remote code execution vulnerability that exists in the way certain Windows components handle TrueType font files. It is mentioned in bulletins MS13-052, MS13-053 and MS13-054 and affects several different software packages, including Office, Visual Studio and Silverlight.

“Our recommendation is to start the patching process with MS13-053, a bulletin for Windows that applies to all versions of the OS,” blogged Wolfgang Kandek, CTO of Qualys. “It includes a fix for two high value vulnerabilities: first, CVE-2013-3129, the previously mentioned problem with Windows font parsing. The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker.”

The second high-value bug is CVE-2013-3660, a Windows zero-day that was detailed on the Full Disclosure mailing list, Kandek blogged. According to Microsoft, in most scenarios, an attacker who successfully exploited this vulnerability could escalate privileges on the targeted system, but it is also theoretically possible for an attacker to achieve remote code execution. This is unlikely due to memory randomization, Microsoft states.

One other bulletin sure to be high on administrators’ priority lists is MS13-055, which deals with 17 vulnerabilities in Internet Explorer. The other critical bulletins impact .NET Framework, Silverlight and GDI+. The sole bulletin rated ‘important’ concerns a privately reported issue in Windows Defender for Windows 7 and Windows Defender installed on Windows Server 2008 R2 that could allow an attacker to elevate privilege.

“This month’s Patch Tuesday is the polar opposite of last month’s ho-hum, here-we-go-again-with-the-patches exercise,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are seven advisories, six of which are critical issues allowing remote code execution. Basically everything in the core Microsoft world is affected by one or more of these; every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET.  It’s going to be a busy time for security teams everywhere.”

Advertisement. Scroll to continue reading.

But it won’t just be busy because of Microsoft. Adobe Systems also released patches today for Flash Player, ColdFusion and Shockwave Player. Adobe said it is not aware of any of the vulnerabilities being actively exploited in the wild. Several of the bugs however are considered critical, so Adobe recommends users upgrade to the latest versions as soon as possible.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.