Microsoft released fixes for 34 security vulnerabilities today in a series of Patch Tuesday updates for Windows, Internet Explorer and other products.
Six of the seven bulletins this month are rated ‘Critical’, while the remaining bulletin is considered ‘Important.’
“The thing that jumps out this month is the repeated mention of a CVE-2013-3129 in three bulletins,” said Tyler Reguly, technical manager of security research and development at Tripwire. “This is important to note – everyone should ensure they are fully patched against this vulnerability.”
CVE-2013-3129 is a remote code execution vulnerability that exists in the way certain Windows components handle TrueType font files. It is mentioned in bulletins MS13-052, MS13-053 and MS13-054 and affects several different software packages, including Office, Visual Studio and Silverlight.
“Our recommendation is to start the patching process with MS13-053, a bulletin for Windows that applies to all versions of the OS,” blogged Wolfgang Kandek, CTO of Qualys. “It includes a fix for two high value vulnerabilities: first, CVE-2013-3129, the previously mentioned problem with Windows font parsing. The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker.”
The second high-value bug is CVE-2013-3660, a Windows zero-day that was detailed on the Full Disclosure mailing list, Kandek blogged. According to Microsoft, in most scenarios, an attacker who successfully exploited this vulnerability could escalate privileges on the targeted system, but it is also theoretically possible for an attacker to achieve remote code execution. This is unlikely due to memory randomization, Microsoft states.
One other bulletin sure to be high on administrators’ priority lists is MS13-055, which deals with 17 vulnerabilities in Internet Explorer. The other critical bulletins impact .NET Framework, Silverlight and GDI+. The sole bulletin rated ‘important’ concerns a privately reported issue in Windows Defender for Windows 7 and Windows Defender installed on Windows Server 2008 R2 that could allow an attacker to elevate privilege.
“This month’s Patch Tuesday is the polar opposite of last month’s ho-hum, here-we-go-again-with-the-patches exercise,” said Ross Barrett, senior manager of security engineering at Rapid7. “There are seven advisories, six of which are critical issues allowing remote code execution. Basically everything in the core Microsoft world is affected by one or more of these; every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET. It’s going to be a busy time for security teams everywhere.”
But it won’t just be busy because of Microsoft. Adobe Systems also released patches today for Flash Player, ColdFusion and Shockwave Player. Adobe said it is not aware of any of the vulnerabilities being actively exploited in the wild. Several of the bugs however are considered critical, so Adobe recommends users upgrade to the latest versions as soon as possible.